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ZT. BACKGROUND 


A. INTRODUCTION TO RISK MANAGEANENT 


Computers have become an integral part of the business 


and government world by perforning many of he operations 


25 
and applications that, in the past, were sither done manu- 


eeeey) Or not at all. In addition to spending vast sums of 
morey +o acquire and operate computer hardware, Navy activi- 
tics hayes Eundsd evsien cueae 2 ee os sctt wares 


development, ccmmunica 
networks, Sse CS 


meee administrative 


ment start. More importantly, Biem wei. berataon. . Jot 
computers has affected the day-to-day operations at 4a number 
of Navy activities. Many zcotivities depend so heavily on 


jy 
cr 
t abe 
rt 

(t 
2 
(D 


ofeoc  cCOmputers th Compu*+ers ceased operation, 


(b 


Pemeier ~he activities would fail to accomplish their nissicn 
Oz they would suffer a severs iagradation in thetic nission 
erfectiveness. 
mee 2Nntroductio1 of autodnation has resulted in a 
substantial increase in the risk an activity faces. For 
example, the centralization of Jata and services is often 
asscciated with 2 cramote actress capability. Bees) Oe 
Baepaoiitty permits interrogation and aitsration of data 
k 


5 
Mees With little or no chetk on the authenticity of ¢t 


he 
source. MadutnOnaLy hers 92S OLter a reduction inv the 
Peecesi bility of visual recoris accompanying the shifté to 


automated support. In a manual system, sales ledgers, 
peymen= books, and invoices are maintained by various 
internal departments to manag= and monitor an activity's 
business. In a computerized system, thes= same records are 


10 





~ 


meee n=d On magnetic storage n2ii2 and are updated automati- 
caliy by a software program. Phe accuracy and auchencs coc] y 
Seewcnese records has become th2 joint responsibility of she 
data processing department and the user, which often results 
in uncertainty about the resporasibility f3r data inzegrit} 

The question is who 1S responsible for the data -- the user 
who originates the input and uses the result, or the data 
processing departmant, which has day-to-day responsibility 
Poeeeene autcmated protesSsing. These new risks have gqener- 
ated an obligation of managemant to protect this significant 
meyves-ment and tS provide for continuity of operations 

71 


moma 2 Catastrophe or accident occur. [{Ref. 1-8] 


oo 
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Protection can b3 accomplished by designing, d 


and imvolemanting sounrterneasac]s. These counts 


ty 
fu 3 (0 
iD 
$v 
U) 


which can be eéith2ar commerically procured ofr 
=house by the activity, must orcsvent, Minimize, o 

the data processing 2nvironm2an=t to recover crom any 
dental OL tNe SNe 1Ona. laauthorized NOdi i icat son, 

Meeniect ion, disclosures, or danial of service. This 9p: 
Seesareguarding data proctessinj assets is called automacic 
date processing (ADP) oe 
ra 


Perfect security is ge lly regarded as unatzainaole. 


a 
U) 


Mines erore, the ae of 2 good ADP security progran 
Memeacduce, for a reasonable cost, the probability of loss to 
an acceptable level aad +> provide adequate recovery in case 
Semevoss (Ref. 2: p. 2]. A good program can only be achieved 
by having tcp management uitinately responsible for the ADP 
security pregram and by applyiig quantitative techniques to 
determine how much protection is needed t> reduce tha risk 
of operating to an acceptable level. 

There are many approacnes t> help top management déeter- 
Mine the appropriate ADP security policy. fhe most endorsed 
approach uses risk nanagement as the t991 to develop an 

+ 


impiement that policy. Risk nanagement is a methodology 


del 





@nalvzing an environmant and jatermining the optimal sez 9 
Beunrte=me2astces nesdsi to proviis sufficient protection for 
shat environment. 


UrenGeneral Accounting Offices (GAO) reports <that "... 


ll 
#9] 


| -le 


risk management is an element 3 managerial science =h3 
S 


concerned with the idantificatidn, measurenant, control, and 


=) 


inimization of inpact of uncertain events upon organiza- 
Peeons chat cepend updo automated operations" (Ref. 2: p35]. 
Meoerct H. Courtney, Jr., a pisdneer of risk analysis tech- 


meaues, Says: 


Most management idscisitons involve *he assumption of 
tisk--the chance that things nay not tura our the way we 
memeror want then =>. Decisidns made in spite of unter- 
Meenmeles and, Dad eed, Pie COGI =O). Of Scien x22 
generaily accepted as 2sstntia SO an: C “Success. ne 
management. Mose frcqucuc!y, nowevec, ths x2y =o 
Paie@eess lies not i212 <tnhe willingness. £5 accept uncer 
Saahcy , On oO) ass UMe .) 22 Sk Wee new en= aDe LZ ey.. TO 
meeOgiuiz2 and quantify ‘the alenents Oe Neale yaseh = 50a 
memaeal With chem ia 2@ fully objective way. {f{Ref. 3: p. 


a) 


Be REQUIREMENTS FOR RISK MANAGEMENT 


1. Federal, Department of Defense and Depacrtmen= DF the 


The first feieral raguilation that addressed data 
Security and risk analysis was the Privacy Act of 1 
Majer concerns precipitated this law 
personal information aaintained by Federal agenci 
potential risk posed by the inzsreasing use of com 
sophisticated information systenus. The Act define 


S 
responsibilities to guarantee that personal info 


ation 
about individuals coilected by Federal agencies is Llinited 
to that which is lsgally authorized and necessary and is 
Maintained in a nannec whic precludes unwarranted 





ie cweauie Got i vacy The Act reguires sach 
Panter eel Ve. tec 

Wace CheiaeesILEty  endac 

tion and to protect against 

Beye anticipated threats or Zacdsmwnech~ could resu 

harm, 2mbarrassment, inconvenisice, or unfairness. (Ref. 4: 


Be 133 | 


~~ 
bad 


When the Act pecame law on 31 December 1974, virtu- 
ally every agency in the Federal government was impacted. 
Because of its impléemantation responsibility, the oft 
Management and Budget (OMB) was particularly afitec 
responded to the Act by issuina OMS wescculer oN 
MResponsibilities for +he Maintenance sf kecord 
ime@evedueis by Federal Agencies," dated 1 J 


Spleectric taskings associated with this circular are: 


e The National Buraai of Standards (NBS) is responsibls for 


dG 
Peg Scandeards and guidslines on =< 


mS Ul SOU se so data 
security. 

* The General Servist2?s Administration (GSA) is zespcnsibie 
Tor revising compiter and talécommunications orocurement 
PerpeecieS £0 ensure complianac>= with applicabie provisions 


Ss 
Seeecn> Act. 
e The (White Houses) Office of Telecommunications Policy is 
responsible for reviewing Feieral agency policy on inter- 
Semneccticon and operational control of networks anda 


Soumemscation security devices. [{Ref. 4: p. 19] 


The Privacy Act of 1974 was the ficst in 4@ series of 


évents during the 197)'s that focused national level atten- 
tion on the value ané vulasrability of Federal date 
processing. Following the Act, in the spring of 1976, three 
GAO reports were published that brought congressional atten- 
tTiOn to this growing zsoncern ani increased awareness 2f the 
potential risks facing *the Fadzeral ADP community. Sin ore cy 
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femeeae cer, Senator Abraham Ribicofrt directed the Commi cttes 
on Government Operations to conduct a oreli 

meer =he problems 3£f computer Security. The Con 
subsequently issued two studies addressing the subject. The 
mes. CTepoOrt reviewei some of th® major teshnelogical issues 
and problems identified by GAD) and provided an extensive 


coliection cf articl2Ss written by experts in the fi2ld of 


Sempucer security [Ref. 5]. The follow-up report recon- 
mended that OMB déir2cst Federal agencies t9 put into effect 


<t 
J 
(p 
ct 


BepGoprzate computer security controls and safeguards, 


NBS prepare physicai and oversonnel standards for protec 


vf 

j-' 

t 

é 
QQ 


ct 
Le 
sp 
cl 


Bedere. ADP systems according t> their sensitivity, and 


Federal agencieS improve cooriination of computer reso 


= 
rt 
Q 
(D 


Beeecec-2on efforts (Ref. 6: p. 276}. 
In respens? t> these Congressional recommendations, 


OMB issued Transmittal Menorandun No. Wea CLtEecular M=/7 in 


mieey) 1978 f{Ref. 71. In announcing this comprehensive 
Federal computer sesurity projr2a, OUR OLS SCtor --Janes sls 


meme vce, Jit., said, 


Memoucer technology now impacts almost avery facet of 
em@ecicen life. fhs protectioa of the tschrology agazns: 
meee ented, ieee dead st Tihedaiy YSers 15 4 major 

Chailenge. This prodqran adiresses that shallenge ir the 
Bedetal Community. [Ref. 8} 


The Transmittal Memorandum requires each agency 
computer security orogram ope, Satisfy the EO L155 seen 


requirement s: 


mean aucc a perloijic risk analysis f2r sach computer 
installation operated eith2r in-house or commercially. 

e Assign responsibility for security o a2 management o9ffi- 
Cial kncwledgeabla in data processing and Security 


matters. 





Meera pli2asShk a Management cortrol process t9 ensure chat 
appropriate administrative, technical, and pkvsicai safe- 
guards are incorporatei. 

e Ensure that appropriate Security requirements are 


mrcmuded in Specifications f2f the acquisition or spera- 
t+ior of computer resources. 

e Establish person12l security policies for screening ali 
MedividulalS participating in the design, opsration, ofr 
Maintenance of orf having access to Federal computer 
systems. 

MemeOndaucc periodic audits or -a2valuations and recertify the 

adequacy of the security safeguards of éa 
sensitive application 

Seeeensure that appe nea = COL-2 Nt Cy un OL ons ere weV=_o Ded, 


Mencalned, and tested to provide for eee G20 Der 


p. 3] 


Also in 1978, Presidznotial Direcrive Number 24 was 
Mapmtec 2 caeanstse red <hs £lncGcezons cf the Whits Youse 
MmeGe Of Te,ecommunications Policy «ec t 
nse (DOD) and Didsartnen*t 32£F Commerce. DOD was tasked 
we hh *élecommunicacions Doi cv ees eae ng ee national 
security. Role other ts hecouwun ications polsey  funct2ons 
were assigned => © ne Neatiorsl elecsoamunications ane 
[Pieeameation Administrat ec the Devartment of Commatces. 
Because DOD is the iarjgest Federal agency in terns 
Semper sonnel strength, buiget size, and nunber of computers 
it is the most affected by th2 Federal policies discussed 
above. MoWereee==2a COUOMB Cxrsula> A-~103 by publishing DOD 
Directive 5400.11 [R2af. 9]. This directive established a 
DOD Privacy Board with oversight review authority, and 
included guidelines for safeguarding personal data in ADP 


systems aS an appeadix. DDD approached Circular A-71 
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© 


somewhat Less decisiv2iiy. n22 BOD had been involved with 
ss data for years 


meer protection of cl: 


Mee@iy =he Tramework 3£ A-f1™5d “hs existing classified 2réna 
and integrate the aiditionai protection réquirements for 
unclassified ADP systems. The objectives of DOD amas ¢= 


develop an overall systematics soncept t>3 security that 
applied safeguards +> each ADP system commensurate with the 
sensitivity of the data being processed. DOD forwarded the 
approach to OMB in a memdraniun dated 30 January 1989 and 
appropriately entiti2ai "A Compr2zhensive Information Security 


Program." By the issiancea of this memorandum, all militar 


het 


departments were taskad to establish formal risk nanagement 
and computer security programs as delineated in Ref. 7. 

In reaction to the oprdspssed comprehensive DOD Ave 
Security Pregqram, +th2 Department of the Navy (DON) promul- 
gated OPNAVINST 5239.1, which assigned spacific ADP security 


responsibilities within the Navy and established Designated 


Pemreving Authoritie (DAA). Roe wewr aan tier Sao. Of (chs 
Mmeeeruction | Ret. 10} directs 2ach Navy activity =o assign 
Pmeesecurity responsibilities, establish an activity ADP 
Becuricy Progran, Lmplement a Formal Risk Manag2ment 


Program, and be accredited by tise appropriate DAA. 

OPNAVINST 5239.1A, together with the Naval Material 
Command Tae 2nd the Naval Supply Systems Command 
(NAVSUP) imiementations, SHowide dt ce: “2 period ‘of «fame 
Substantially incr2as2 the protection afforded to DON ADP 
systems. The requiranents for 2 Risk Management Program are 
mm@er2=Z2aq in Table I, whith lists <¢hn23 regulations and 


reperts published in the last d2cade 
2. Operational Requirements 


In crder to 2stablish and manage an Activity ADP 
Security Preqram, it 1S encumpeot on activity top management 


(Commander, COUNat ang JEtzcar, Officer in Charge, Gr 
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TABLE I 

: , 

| Federal/DOD/DIN Regulations on ADP Security 

1974 Privacy Act of 1974 (Public Law 93-579) 

1975 Ome ClEGuLar No. 00 USGS DONE) a a POrLc iS 
Maintenance of Recoris about Individuals by 
Fedéral Agencies," 1 July 1975 
DODD S800, 11, 9 "Personal Privacy and Rights ore 

| Individuals Regarding their Personal Records," 4 

| August 1975 
NAVMATINST 9211.2 wos Soma Privacy _ Acc nd 
Rights or [i dividuals SSH Gs See their Personal 

| Records," 26 September 197 

| 

| NAV SUPINST Dcy ales ey Mos esomal Privacy "Ac: and 
roqncc ce sEndsyviauals ed peed their Personal 

| Recoris ee Ret 38 to fue olic baw 93-579), 

| 18 November 197 

{ . 

a GAO Report, Wulmprovenant Neetsi in Managing 
Automated Dezisionmaking oe Pecos: DREOUGHSO Us 

the Federal Sovernment,* April 1976 

| GAO Report "Computer-Related Crimes in Federal 

Programs," “april 1976 

GAO Report, MMAMaGs=seNecd tO Provids Betver 
Boo eG ewes CI¢ Federal Automatic Data Processing 

| gee =t2 ties," = Tav 1976 

| senate (Qoduiull ee i 241 Governmsn* Oper aieor se 

| PSONPUter AbUSeES = Problens AS SOG= 2 ean savage 
Computer See ce 20 eo rederal PErogzams 2nd 

| Pravave industry,” dune 1976 

mor) Setlace COMmManrte= Oh SOVEENMEent Operations, "Con- 

Pilon Seclbe-/ (2b £edstsa) Srograms," February 1977 

| 

NAVMATINST 5510.1 Uo ceosey OL eADY Systens," 22 

| March 1977 

11978 Oo Circular No. Asi), Tiansmittal Memorandum No. 

| "Securit of Paderal Automated Information 

Systems, 24 iy 1973 

)1973 SECNAVINST? 521 1.1C Personal Privacy and Rights 
Oe, Endaviduals Pertaining to Their Persdsnal 

| Records," 4 Dacember 1931 

1980 DOD Memorandun, A Somprehensive Information 

| S-curLeyerprogeem,’ 30 January 19180 

NAVSUPINST 5510.6A, “Sasurity Requirements for ADP 
Sys cens,' 28 Nay 1§80 

io 2 OPNAVINST 5239.1A, "Department of the Nav 
Miaseiosese MED ed PEDCSSSsing Securzey Progran, ' 
August 1982 

a _.. Wea __ _ 
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PaTeECctor =o ap Management Program. La wsne 


1 
process of formalizing this pcogram, tcp management must 
establish ADP sesuritvy policy with e¢xplicit reqari <0 


OPNAVINST 5259.10 and the unique requirements and 


(Q 


Memetbal nts 92 the astivity ADP systems. (Ref. 10: p. 1-2] 
Since activities have invested haavily in computer 
Bescurces, they often desire t> maximize the utilization of 
their resources by sharing them among users, both internal 
ema ex =etnal tc the activity. Each user has a different 


Mee G—-to-Know and neei-to-utiliz2 criteria fer accessing his 


ct 
fu 


anftermation. This requires that individual user _ da’? 


ir 


Meced=.ty be assured, while concurrently providing shared 
ay 
Mmimpmemesien? Sh Services <0 both ~2scal and logistic users, 


access to the ADP systen. Foc example, an ADP activ 


each of which expects its essats to be protected and avail- 
able upon demand. [The task 9£ simultanssusly sharing and 
pretecting an ADP system is the responsibility of the 
Memave~y Providing automated support. 

Rorceme 10  F2guares that Sach Navy WDP activity be 
meera=aqined for operational us2. By accrediting an activity, 
the DAA, which in some cases is the activity Commanding 
Meee t, acknowleiges that the risk of dperating the ijiata 
BPeecessing environment is acceptable, in light of the activ- 
Mmeay'S Mission ani the users’ dependence on 2u 
support, and approv)es *h2 syst2n for operational use. 1) 
cbtain accreditation, top manag2ment must quantify the 9 
ational risk and imolement an Activity ADP Security Pl 
The Risk Management Program described in Ref. 10 and fur 
explained by this th2sis is the tool used by top mangenent 
merquantiry the risk presant, evaluate the sost- 


effectiveness of proposed countermeasures, and provide for 


(p 


recurring review of the activity's ADP security posturs 
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mee LNTRODUCTION TG SPLICE 

Meemectect ©2555 |becicsics Integrated Communicapfiors 
meyeronment (SPLICE) is a NAVSJS2 Project designed ts inte- 
Grate ail interactive processing and telecommunications 


required by current and projected applications systems 
operating within tno Uniforn Automated Data Processing 
Berecem for Stock Points (JADPS/5P). The SPLICE Project will 


use Standard minicomputers and nodular software components. 


A “"foreground/background" concsapt will p@ implemented with 
SPLICE minicomputers, which will serve as a front-snd- 
MeeeessoOr <Or “tht 2xisting SeoCk DOIN =S, Medium Ss 2geq 


Burroughs systems. “Ref. 11: p. 1] 


More then twenty 1¢6w applications svstems under davsico- 
Mem. and the current UADPS/SP system conprise the "SPLICE 
Umbrella." These systems will c2quire considerable intsrac- 
tive and <telecommunications support az more than fifty 
MADES/SP activities. SPLICE will provid? a respensive and 

neo Cilmeen = 


Seemom-.cal SUppOLt cadabiiicty without saturating th 
BUEZOUghS mainframes, and will simpliry the 2v 
meeme teaplacement [~R2f. 19: p. 14. S? 

user oriented environment which will pro 
Gperating functions such 2s t2rninal mana 
tions management, database nanag 
Management. Additionally, cher2 will be Many support func- 
mimete such as Standard softwares tools (ft 2mpilers, 2tc.), 
recovery management, and security. The sxisting Burrowghs 
Mainframes will proviie iarge blS processing functions and 


Bepor: generation. 


a i 
(p 
Q 
Pa 
f 


As seen in Figur2 1.1, the evolution sf computer 
nology has resulted in the design and implementation of very 
complex and sophisticated automated environments. ae) aes 
of operating these n2w environnents is directly proportional 
Memene=r overall conplexity. AS a point of referencs, the 


Operational SPLICE Netwerk will fall at ths very high end of 


eg 
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the technolegy and complexity stales. Che tavy's itacrteased 
Operationai dspendencieS On AutINaAtEead SysSteMS Genarnd tat 
the risk in SPLICE be evaluated and managed at an acceptable 
ievel. 
De OBJECTIVES OF RESEARCSH 

Research by Naval Postgraduate SeuooL Lactity aid 


Stucents on the SPLIZE Project is concerned with systems 
anelysis and preliminary design proposals for many of the 
lec =icheal areas of SPLICE. This thesis defines a Risk 
Management Program <*> evaluate and manage the tisk associ- 
pea Wetn the operation of SPLISE. The methodology proposed 
draws upon current government and industry techniques and 
conforms to existing DON znd NAVSUP guidances. 

Ret. 17 tasked NAVSUP 0415 and the Flest Matarial 


pepe r. Office (FHSO) 94 with conducting 32 risk analysis of 

the SPLICE systen. It is inteanied that th Risk Management 

Prcaram proposed in this thesis be used a5 a tooi to J'Nan- 

memey the crisk in SPLICE. Hogs themewicl  LREOrma =. On <2 bour 

mm@@esimaiation of *232 esventual operational SPLICE activi- 
oyu n 


u 
meas, <his tool can b2 usad ¢t 
e 


Specifications needei to reduce the ri 


E. LIMITATIONS AND ASSUMPTIONS 
yr. Defense Data 


Tic Opeeagenmal SPLICE .spacnticatixsns scequired the 
Network Interiace Subsystem to orovide access to the AUTODIN 
Ii Network (Ref. 13: Powe > fol. On 2 (ASEGR IGS82 Depucy 
Secretary of Defense Carlucci directed the termination of 
the AUTODIN II progran and the immediate development of the 
Defense Data Network (DDN) “Ref. 14). tees ‘Clbe=nre DOD 
Peoeocy that ali data communications users will be integrated 
wmeo the DDN. 


a 





Pee aseimcesteceon= SrulCS Network will come tise 
a "community of interest" within the DDN. m LOLS: “2ssele- 


Serer Of che DDN ani a summa 
Sone luded 


fie 


provided by the DDN 


2s vel Ti D 


jc+ 
TO) 
{hv 
Ir 
iy 


It is assumei that the data procsessed within «he 
SPLICE Network is Lev2l II data, which is i¢fined in Ref. 10 
as unclassified data requiring special protection. Since 


Min oPLICE application syscems will be processing financial 


and other management iata which is by definition "Sensitive 
Bmeemess Data," 2+ fcequires protection for reasons other 
than being classi ie judged <hat 


lei or personal data. 1 
Ce meOnmlod basa) On Wor 1sStru 
er 1s 


f£ 

a © 
cre enough to justify a great ee /Of) DSS. sC> 

ed £ 


daza@ is sév deg 
mon than require Sb. Ose t rec lsssirten sntorne son. 
3. Activity ADP Security Pl2en 
The majorit Sop eo eile & COMTIGUEat lens Weil be 
locavted at Navy ADP activities, WHitech 2s SUDISeC. se ene 
Department of the Navy ADP Security Prog PHets. TOs) pe 3.5 


O 
Peeenmough the proposais set forth in this thesis fol 


aL 
foeance of Ref. 10, they are concerned only with ths zcisk 
L 


Memeegement of the SPLICE configuration (s} and will not 
Semseictut> an Activity ADP Security Plan. The Activity ADP 
Security Plan must b2 much more comprehensive i order <o 
imp_ement the overall Activity ADP Security Progran. In 


m 
Bege2cular, Appeniix J of Raf. NO sOutli12s. “the Menda cory 
Minimum requirements for DON ADP activitiss. Additional 
minimum security requiremants for SPLICE are given in Refs. 
11 and 15. 


Ze 





MEO D lc Cac. OnS sOtavars SScurlty 


Each applications software system nust previde its 


ta 
ct 


Oem uniques internal s2curity ani data integrity, adhering to 
activity scftware dzvelopment policy. Examples of such 
epplications software integrity considerations are computa- 
tions of money figur2s (Such 25 what to 19 with remaining 
meaec ions Of cents, if any) ani maintenance of application- 
unique audit trails (such as the Transaction Reconstruction 
Pole in UADES/SP). At a mininun, applications software must 
mecorporate security and audit controls listed in Appendix I 
meret. 10. Deplist ons Processing finartccal datarshoula 
VECOU 2 Er None 0006.35, Financial Manage nen~ 


a for ADP internal control of. 
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If, QVERViEd OF RISK SANAGEMENT 


A. RISK MANAGEMENT [TERMINOLOGY 


Berer= PEsececa ny With a discussion 29£ the Suncticnal 
phases of risk manag2ment, it is essential that the terms 
mos Kk , threat, vulnerability, and countermeasurs be 


explained. 
ieee ROSK 


in Webster's Collegiate Dictionary, risk is 


qd 
as the possibility of loss or injury; a dangerous element; 


or the degrsée of probability of a loss. Untomeurnactely, the 
erm risk is not 32 universally defined t2rnm. Ris is 


Meeceived differently, depending on ths circumstancs or 
Somnmunit y. 

The insurancs industry uses the iiea of an “insur- 
ome =Clrisk,. A conpany identifies both the known and 
uncertain ¢laments 9f operatiag a business and mini 
Sees potential loss by buyin insuranc:. The ins 
memes USing empirical and st32tistical data, s 

meme 2O the company in the forn of Epaneclel Conuens 
should its assets b2 lost. Poe termen= how wnuch 22 
moved, the agent relies on historical data, prediction 
mcedels, and business wae Unfortunately, the 


computer industry elatively new and little analytical 


Ui 


deta is avaiiable for assessiag the areas and extent of 
potential security ris 

In business 2tonomics, there are two types of risk: 
speculative and purs. Whsn a bisiness invests, and there is 
a degree of uncertainty as +9 whether h 


ie 
Tesult in again, the risk is speculati 
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Meesibis outcome 25 32ither i955 Or no change, Sie 22s 4 25 
classified as pure. 

ame Ne COM Mes Or ADE SSCUD_tY, ONLY a Pure Fisk can 
exist. isk within the data processing community is defined 
as the likelihood of 2 loss ani the expected amount of chat 
loss with respect to the assets of an activity. 

2. Threat 

H. Stephen Morse of the Systen Development 

Morporation defines a threat as any action, event, Or 


Ci=cumstance, «he occurrence of which is likely to adversely 
afrect the assets of an activity. Threats exist in general 
because of the unpredictability of ths real world and 


% 


Meee, ine presencs of a threat does not squate *o harm oF 


h 
Memes. fOr that to happen, th2rs must be a successful attack 
Mee threat agent using a specific tachnigue, methodolgy, or 
spontaneous occurrence. 
Theeat agants are classified as natural 2nviron- 
Mercal factors (tornaio, flooi, fore. Stes) art horizec 


uSers (programmers, Glen ator >, oT 


Ce) eos. NOS cbs 29 mes 
(anyone net an authorized user). A t 
threat to be realizei by attacking the asset 
can impact these ass2ts in at most four areas: modificat: 
Me eruc.i0n, disclosure, or denial cf service. Whether the 
Meteck renders harm 29z= Loss t~> the activity is dependent 
upon the threat agent successfully penetrating the existing 
countermeasures ani 2xpliloictcing weaknesses (vulnerabiiit ies) 
in the data processing environment 

The threats facing an astivity can be a functi Gf 
Mmeemgeographic location, personnel workforce, processing 
mode, physical facilities, or cs onputer systen at eee Pe 
Since these elements are constantly changing, threats are 


considered dynamic ani should b= continually monitored. 


AS 
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Figure 2.1 Some Typical Threats and Their Usual Defense. 


Perhaps the 2asiest way to understand threat is by 
an example. Although the existence of threats is beyond our 
SemeaOl, a threat will not nec2ssarily materialize or cause 
harm. There is always the thraat of a fire, but that does 
not mean there will bs a fire. The occurence of a fire and 


the extent or damage a fire wo1ild cause d2pends in part on 


tae 





Bie weaknesses in tha faciiizty. The weakness, in this c2s3, 
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memthe iack or 


some typical threats and their usual defense. 


3. Vulnerability 


to” 


th 


OPNAVINST 5239.14 defines a vulnerability 9 a 


computer system as a weakness i121 its physical layout, organ- 


meron, procedures hardwar2, or software «hat may be 
meeeo2 ced to infiist harm. AS With a threat, *the presence 
of vulnerability does not in itself cause harm; a vulner- 


Mme y 1s merely £22 conditio2 or set of circumstances of 
K 
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Ger, 


heecn “he tnrteat agent can tai 
fRef. 10: p. A-17} 


fee VULNeraDLliteass 9 of 3a » Comp ieee ace 


u em 
Meeeectly With its conplexity; remotely ssid resource- 
Ow re 


Sharing computer systems that all = jeb entry are 


Significantly more likely «5 have weaknesses than a dedi- 
Beamwecd, Datch-prccessing, stand-alone systan with no ramotely 
loceted terminals. Bigduzee2.2 Liilcpsateas some DOtSN cial 


vulnerabilities of a tomputer systen. 


On2 purposS of evaluati1g a data processing enviton- 
Meme 2S ~O identify all vulnerabilities existing in the 
facility, system, oC Operatioi. BYSGonaudcCting a ~horougn 
analysis of identifiei weaknesses and weighing 3ach 93 the 


Probabilities of a successful attack by a threat agent, the 

Vulnerabilities of the data processing 2nvironment can be 

measured. Vulnerabilitias, ualike threats, are ganeraliy 

Smeer the control 93r initluerc or the data processing 

Management, and can ba modifisd to reduce the severity of an 
eK. 
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The words countermeasures, safeguards, protectiv 
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backup measures, 2n2 control mechanisms are often viewed as 
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being synonymous. A countermeasure is any protecti 
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Seet-Oon, Gevice, proceiure, tacshnique, or neacshanism that whe: 


n 
Ieee, as vulnerability £0 


(tT 


implemented reduces the 


ac 
successful attacks. These corrective features are designed 
and developed to protect the assets of an activity. The 
purpose of a counterneasure is to either reduce the prob- 
ability of a successful attack 
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Meal mechanisms for controll; 
Serevity is exposed. Some 2x 
Beckup copies of software, accra 


mija@et trails. 


AS shown by rigure 2.3, sk manag2nent is concerned 
With the interaction among tne cerms just defined. Risk is 
the extent and probasility cf loss due to the manifestations 


2 
Meee aatsS (attacks) 2= pcints of vulnerabilizty in ligh+ of 


smstalled counterm2asulres. 


Be RISK MANAGEMENT: 4 FUNCTIONAL APPROACH 


Risk management wit respect to computers is 32 néw 
@eec*pline that providas qiancifiable techniques for 
assessing the risk of oparatinzj 2 computec system in Light 
of existing protection measuras, and determining the 
tequizrement for additional countsrmeasuras to protect that 
Syecem., Leading authorities in the data processing industry 
BeesuSIng various techniques for analyzing risks. Howsver, 
most agree on a formal, four-phased approach to risk manage- 
ment: risk analysis, management decision, tisk control, and 
@eerational continuity. 
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Mummecctdehital § OF ihtentional unauthorized modification, 


Mes tftuceicon, disciosure, or 1i2niai of s@rvice. This ALgz 
yaiue is 2 aseline for assessing the ADP security voosture 
Mewan activity. 

As shown by Figure 1.1, cheooet Skesat Qctavery £ aces 


Meme =Ct LY proportional to the complexity of its data 
precessing environment. Because of this, top management 
beses the scope ani depth sf the tisk analysis on the 
complexity of the particular 2nvironment being evaluated. 
Beme cactors that are partiasat t9 the decision are the 
Meme Of the physical facility, the value of the data (both 
Memeeetee tl Y <> the attivity aaa 2x%éernably <2 others), th: 
Semriguraticn o 


£ 
data processing 


GeveLce ue Dip eoGeuiv: Cy 6S- and Users" 

ees Ons. 
Rie wn tsmemane lysis Cscanique .attempts to predict 
Mieure risk ¢xpo OL an acti vicy based “on a . thorough 
Mermeeia-.0On Of its assets, thrsats, vulaerabilitiss, and 
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existing countermeasures. This avaluation relies heavily on 
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the prceressional 2xp 
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Chrical Knowlecage of the 
risk analysis team. PORAEMESUT EASON, I a> 2S Veral that the 
team be drawn from both the 1832 ptocessing department and 
the users! departments in order to take advantage of their 
diverse backgrounds and technical expertise. The ean 
members should be highly skilléi professionals, whose selec- 
tion will substantially influence the quality of the final 
tisk analysis product. Additionally, the risk analysis tean 
mus= be supported at all levals if the analysis is to accu- 


meeely reflect the security posture of the activity. 


In this phas= top management decides, based on che 
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risk analysis, the activity's mission, and the users’ degqr 


Of dependence on autonation, if the existing countermeasures 
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Meevide SULTiCient protection. Before makicg this aqecision, 
top Management reviews the risk analysis to détermin=e if 


approvriate assumptions Were Nade ana operarion 
sak 


or 
fv 
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ct 
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constraints were considered. [The risk analysis q 
Mme *current level" sf risk associated with ope ra*ing the 
existing computer system and documented the ac*ivity's ADP 
security posture. [The risk analysis should be presented to 
top management in such a mannec that decisions can be made 
Meme eclation to the documented threats, vulnerabilities, and 


courtermeasures. 


At this junction, the Risk Management errogram can 
Gemmeoe ONS Cr two directions, contingent on the decision of 
top management. If top managen2ant judges the current level 
of tisk as acceptabis, then zh DJverational Continuity Phase 
is entered. Evaro) ©@°Sc2ng disee.ely “osc hee phase, VY =OpD 
Management is explicitly acknowledging that existing control 
Beeersces and procelares are sufficient and the current 
Security lavei is to be maintained. On, tne] -Othee Mand .. Sa 
top management decides that the current levei of risk is 
unacceptabis, EN SWeee Momento k cOM@MsOL Phase 2S Litt ta zea. 
fryers Teans that *op nanagement is not wiliing to tolerates 
the tisk. Before the Risk Control Phase is begun, top 


Maraqement should assign a risk control team and provide 
guidance abouts those deficiencies of greatest concern. The 
Mesk CONtrTO] team should be comodsed of a greater proportion 


orf data processing technicians chan the risk analysis t2am. 
3. Risk Control 


Mi enncstonwer this phase iS to  DpErODOSS tO =9p 


Management an optinzl set of countermeasures that have 
proven cost-effective and technically feasible. the = oun- 
sermsasures needed to bring the risk of operating +9 an 
acceptable level ars selected from a comnbination of risk 
avoidance and reduction tschniquas. 
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Pee oud ass WAP he pecs = Cl 2 or 


m t a 
should be abandoned, redesign2i1, or deferred b¢ec2use the 
bla c:7e 


Pecential harm is t95) area a be eenreol led w2th sxiszing 
technology. Countecneasures t> raduce risk f2ll into three 


basic categories: 


e Protective measures which reiuce the damaging erifects of 
external events. 
e Control measur2s which wreautze the likslihood of unde- 
a 


mec tod Sune repers OG ECS ad vets NoCmeacatsons and 


Mimic hcr ized cijscloasur:. 

e Back-up (contingensy) measures which provide alternative 
Meets rO’ Ca=rVing Of .cThS MiLSsiom Of an activizy s15s¢e- 
Mime oC ak SVeht which disztupt=s rnormel operations. 
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After top nanagement sslects and approves ‘thoss 
measures that have th2 greatest potential of minimizing che 
overall losses, the cisk control tsam prioritizes then fo 
implementation. This phase is complete when top management 


proposed adiitional countermeasures and 
pL 


on oes ea Ger oO = OS 2H me = Gen 28 2 2 > =p 


The Operational Continuity Phase is initiated e¢icthe 
mm e 


Meer cOmpletion of the Risk “Control Phase 9 


rH 
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t 
following the Manayament Decision Phase. Pe he: Rae 
Control Phase was 2xecutei, resources are dedicated in zhis 
phase to carrying out the action plan developed for imple-~ 
menting the approved 2dditional countermeasures. 

DUbing this oshase, the DAA makes the technical and 
Meeagerial policy decision regarding the accreditation of 
eee activit y. That decision 15 nade immediately if no Risk 


Control Phase was 2xsctuted, or after the implementation of 


34 





MeyaeclOnal counterneasures. Regardless of whether or nor 
Beme=czicnal countermsasures ar2 being implemented, the 
PeecesS Cf tisk manaj>ment continuss. ms. ON GOa ames or: 


is considered essertial to preserv 
Pestire Of the activity and includés sontinual review, 
audit, and evaluation of the 13¢ ng environment. 
This phase is terminated when it is zamed necessary to 
reinitiate the Risk Analysis Phase because either a five 
year time interval has passed dr the polic of top manage- 


Meme SO dictates. 
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III. 232SK MANASEMENT PROGRAM 


The proposed Risk Management Program furnishes a frame- 
work which is tailorad to the unique aspects of the data 
processing environnent. Miewtoutder2on jf this program 2s 
taken from Refs. 2 and 10ani the recent experiances of 
mreustry. Quantitative techniques are used in the Risk 
Analysis and Risk Tontrol Phases. TRESS sSchutGues 15° 2oc 
tilize exact values; instead, values ara scaled by orders 


a eee ee ee - ; 
See eo oe eo oda Ss 2S COC a2ClLUaC= 


tt; 


Se magricudae. The use 
Sate the lack of enpiricail data, incomplets knowledge on the 
mmeuce likelzhood of ‘ieee Tho eee MeenGclus: Vv 

etfectiveness OF couitermeasucres. 

AS a first step in establisaing a formal Risk Management 
Progran, jt is retommended that activity top management 
fmplement a managerial structure which includ#s an ADP 
Securi-y Staff as dascribed in Ref. 10. The 2cteve= y is 
@tsectsd to the Comnande aza Autcmation Com man 
(COMNAVDAC) for technical assistan 
anaiysis. Wich eho DIN, CSCOMNAVDA 
providing assistance as requested and with ensuring cha 
risk management expertise is Shared across 


Boundaries. 


be 


This chapter is broken into the phases of a Ri 
Management Program ani is intended to meet two objectives. 
The first is to describe in a cohesive manner «he philosophy 
of each phé4dse. Pies CoOnd 25020 GLVE, where necessary, 
Seecitr1c implementation censiditrations independent of ithe 
philosophy. 
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Meeo cand CO R2i. Ween Gee ace threes distinct Sespsein 
eeeask analysis. Thase steps, as Shown 12 Figure 3.1, must 
iii ma. < <n a | 

' Asset Loss | | 

| Determination | | 
i { 
| | 
| | | 
| | 

i a es ae | 
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{ \ VilMepeDateacy oVeluctionr 
| | 
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| | 
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| | 
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Figure 3.1 [The Major Steps of Risk Analysis. 

be completed in sequential criec. The puepose Of the Rzesk 
Analysis Phase is *o quantify in accordance with the policy 
guidelines from top nanagament the risks of a a data 
Pee=SSing environment in relation to its threats, Ten — 
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abilities, and existing cointermeasures. The Woe 


conceptual model and implamentation considerations elaborate 


Sleenow th=s gquantiitisation is performed. 
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risk analysis process prasentel in Appendix E of Ref. 10. 
Mmeeakes into account the work of Robert 4H. Courtney 
meets ot, NBS (Ret. 17), and Jerry Fitzgerald [Ref. 19]. 
The model allows one to systematically quantify asset losses 


and attack frequencizsS on an annualized basis and *0 calcu- 


ih 


late from these the total annual loss expectancy (ALE) of an 


Peco Vvity. 


This step identifies all of ths assets within 
meeeevecy and quantifies the activity'‘s 
+ 


V 
harmed. They weecses to ghich ass 
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ets 
dGentified is addressed in th2 implen 
eat 


° 
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Mrmadent L500 sae naming an 3 


Be 


at 
c 
BeSscri = 2s written to document how that named asset 
1 N | 


could be impacted by threats in general. Sip 28a Sacu 
Mamed asset, <iftcur loss valiues 2re deterniasa Ome FOr 2acn 
meeecat impact area. The £ e modi- 


ou 
Mme 1en, destruction, disclosure, and ianial of service. 
Sten 20SS vaiue is an estimation in dollars of what an 
feeevi-y Will lose if one attack is completely successful in 
cauSing harm in that impact area to the asset. Pus “eno ze: 
WaY, given that thers is a one hundred percent probabiiit 
Memmpeone= successful attack, how much is an activity willing to 
pay to prevent that attack? This step is completed by 
MeePsroOrming each loss detarmination ints a loss sfrating 
meet. 7: pe 10]. The model component répresenting czhis 
step is summarized ia Table II. 
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PABLE. 1 


Asset Loss Det2rnination Model 


| 1 
| 
| 
| 
| : 
The loss detarmination function, Ji (ally ese ae pa a | 
empirical estimation of loss, in dollars, or asset 
| A in impact area i, POURIOdetOwcne. Mearesce OCxpoO- | 
| nential value of ten. 
| The function is expressed as: | 
| me, A) = Lunctzon [ D(A), Na) j, rounded | 
| Where: | 
| 
| 2 = thewthreat ~rmpact Jee 2a (Od. Cac On, des- | 
i PaO Cee sig Case Oeste es, CE den ah Si Service) 4 
| : | 
| A = the unigqia nane of an asset 
| 
D(A) = eae ceScr Pc OMe Bova ss een COULA DS 32 - | 
ected by threats 
: 
Mata} = tne numbse of 2dentical assets A subject to 
the same threats | 
| | 
| More OSS Tet ng Cunct.5n is a logarithmic mapping 
| meee 42,0) Ones 2n Ofdinil integer ssale ranging | 
maom 0 t> 8. Tie zero rating indicates asset A is 
eres § SScted 2h a Pabewecular impact area i. | 
| 
} mae sUNnCeELON 25 Sxpressei 33; 
| LOSS{i,A) = log jC -A) ] | 
a a ES SR ce ce eS | 





Gee Ehreat and Vulnerability Evaluation 


This s#:2 


oO 


identifi2aes each threat which could 
possibiy affect  zhe assets of in activity, provides perti- 


nent textuai descriptions, and expresses the probabilizy of 


§ 


an attack with an annualized fraquency rating. The 22st 


description defines the threat and on 


er 
fu 


n 

threat agents. The s2coni description discus 

abilities which are susceptibls to attacks by threat agents. 
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The las GeSGr20625) GSSerib=s existing co 
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Mmetaelicod tc counter those a2ttacks. Eke pees Ce eur 2.5 
GCommom to the current minicsapiter environment are identi- 


m 
fied in the implementation consilerations. 
Since the realization cf a threat can have an 
impact assets in four areas, four frequency occurrences aust 
be estimated. The frequency Occurrence represents, on an 
annualized basis, how often 2 threat agent can be expected 
to penetrate tne jiefenses of an activity and successfully 
attack assets. This step concludes by transforming the 
frequency occurrence for each impact area into a frequency 
@Bemeuccessful attack rating [ReE. 17: Dee SliOeae The nodel 


Semponent for this st=p is summarized in fable III. 


ae. A = Fal ey es : = =“ dons oem 
PC Mt Omeor C12 Craw) Amnuat Loss Ey eco arncy 


The final step of the tisk analysis calculates 


Mmemactivity's Total ALE by a series cf computations. The 
Meeet ALE quantifies the average yeariy risk expesurs in 
meas =esulting from modification, destruction, i=clo- 
pies, 2 denial of service. Pie yaCcavacy s task exposure 
Beveals the degres to which th2 existing vulnerabilities 
permit threats to be realized 2yainst the assets of the data 
processing environment. The first computation uses a natrix 
of all assets and threats for zach impact area. An ale 


is 
(uncapitali zed) 1S “Sompl ced Es each combination of loss 


ty 


rating (cf a singl2 asset) and frequency cf successful 
attack rating (of 2 single threat) paired by the same impact 
Beeaey, Ret. 7: p. 10]. Pits. 1S hes cisk exposure for 
that specific asset and threat intersection. The second 
computation computes the ALE foc impact arsa i as the sum of 
ali ale's in impact area i. The Last computation totals the 
Four impact area ALES. The mdi¢e¢l component for this last 


step is presented in Tabis IV. 
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| rABLE [TI | 
{ 6 oO iJ | 
| Threat and Vulnerability Evaluation Model 
| 
The frequency occurrens Sanceeton. 9) F(T) ya is 
a stochastic e2stimate Se the frequeacy per year 
of successful attack by thcesaet T in impact area i. { 
| The function is 2xpressed is: | 
| nf 
mies) = flinction ( DCT), V(T), C(T) ] l 
| Where: | 
| i =sune threitsilmpe@cteansa (nNodirication,, des- 
i medCevon, tse 1OsSsars, Of denial Sf services) | 
| T = the uniquely named threat 
| ve (a : | 
Wim che Gerini tion Of thereat T and listing of 
Of. Speee rt een Teak 273enes 
| V(T) = the discassion of the vulnerabilities which | 
| allow threat I to materialize | 
| CT) the description of che existing countermea- ( 
{ Sires 2O SOUnteE Ehreat T | 
| : 
: : a at | 
Th2 frequency of successful Poetic eset LS 3 | 
| meno mae sCal Ne9ping Eyom F{j,T) ontd an ordinal | 
integer scale ranging from 4 PO reed The zero 
Ba-ing indicatss that threat T doses nat atfec+ any 
| Meteo ACtIVItCY’ S a5se 25 if a2 Ppatcicuiar impact 
| arsa is Ae: Sehoee mato 2S VComDuTea, 25° 2s 
| Bounded tO the nearest integer. 
ieee function is expressed as: 
| 
| meracnk (.,T) = 13g 3990 Cor(27) 4), wounded 
| 
| | 
0 a ee eC ee ae | 
2- Implementation Considerations 
Top management begins this phase by selecting the 
Disk analysis team and providing them policy guidance on the 
scope and depth or the risk analysis. The members are 
assigned in writing andi their accomvoanying duties and 
responsibilities are documentsl. Team selection is based 


not only on individual diversity of specialized technical 
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TABLE OLY 
Activity Total ALE Computation 


| | 
| 
| | 
| | 
| meeeandividual "als! function is 4. macnenstical | 
| mapping from LOSS5 (:,A) ane ATEAGK (is ly! <Ont oO ne | 
the annual loss 2xXpectanc Mio eas AaacOCla tod 
with each combination 3f asset A and threat LT, 
having the same impact ars3 1. | 
| The function is 2xpressed 3s: | 
| ale(i,A,T) = | 
Vises One xpene OSs Gaz N) +t ATTA eK (eT) = 3] 
| 
Mie ebetiIG-2On bYesinupes=. area + is a summe> ion ] 
meine s"ate"S ~ sa Mouted ADJVS ANG LS. 2@xdressed as: 
| 
| _ bs : | 
| ALE(2) = | Sonor Gy ae) | | 
= = 
| on ail | 
| | 
| The Tete cy Totel oe fives On 2S a vo eat. OL ne 
| Bout Impact are2 ALES and 13 expressed as: | 
| 
| ‘% | 
| MeV tty TOst lea on = ee ae ee 
| | | 
| iol 
| 
| 
| 
| | 
as 2 GEE GE (ee eee Ce a a ea (Oe a ay SE a fe eae en eens | 
Bemencs, but also on familarity with the activity's mission 
and knowledge of the iata& processing services provided. 

The scope ani depth of the risk analysis depenis on 
mie COMPLE xity of the data processing environment. The 
SPLICE Network, aS PEeVLOUSLY “described in Section 1.C., 
Wiii be 2 decentralized, lat2ecactive, telecommunica*tions 
environment. Ro Sika: RCESaS25 28 | Gizect 2oOpoOrtion ~t9° the 
complexity of the jiata processing environnent. The SPLICE 


falis on the high end of the conplexity scale as seen if 


42 








ica 

the 
Bem@eoys:s should at th 
ye 
wil 
Sy 

aL 


meoutc 1.1. 
expcesure chat 
The risk ana 
6£ SPLICE 


conducted after th: 


phase 


developmental phase 


operational environm2i1t¢ or by 


mon *O one already 


developmental phas2? disais 


piewes: a = e 
eee CONS A Srations, 


system 2als with 


requitements. Since 
system's life cycle, 
can be included in thea 
at a reasonabie cost. 
the operational stag:2, 
sures are ne longer 9 
measures are 
AS 


dap As 
Gus Ne 


eac 
y2 
environment has been 3 


g 
appiicability of a pre 


either er 


« 
- 
papas! 


Bement s recur Cys 


agrees that if five ye 


be thoroughly reexnaia 


— 


if only one axzea has 


A 


“@ 


five years has passs 
Should be 


risk analysis team is 


ronmen a Eel v 


SORCE CL 


Bee cu tea Ly 
Coneecenung 
Hee so | vowsng. 
sis 
1 be 


sten 1 


ting the developmental 
the 
Tha 


simul 


from analysis 


in the 
ng 
eventual opera- 
the 


imates and dz2sign 


mS K 


cineesk the 


S guantifilsd ei 
SOmpars 


sal xistance. analysis of 


ct 


Ss 
h sducated 
of the operational 
aee ake ne by sas 
NaaawWane 4 vie sosiw 
final sp2cifications 
If the 


many tachnicalily 


5 
tesk is nA 


TaCceaecoaplc and 


Gi, sess 


aes On = 
apa = 
2, “pa eve gisdaence needed on the 
analysis. 
theo the 


In the 


< Of 2ndusery 


2° 
UV) 


VOUS) = 
rPesk Shoulda 
oth2r hand, 


ars has oassed, 


ed and dotumented. 


realiz2d 1 major change and less than 


Visto, ciate DOLkE2On “OL =he Snvi- 


aluated. During the reevaluation, the 


Cautioned not <0 overlook those areas 


indirectly impacted by the change. 


The final 


ac 


the level of detail required 


expectancies and fr=2 


Q@ S2queciig policy guidance 


the 


concerns 
astimnated loss 
The 


t> document 


quency ocrurrences. degr2s of 


43 





granuiarity 


mee ctime an 


Hav 
attention o 
practical 


analysi 


imposei dy top an 
d resources required +9 conduct an activity risk 
detail shouid be suf - 

k analysis to be judj2d credible and defensible. 
"NQmCSCIsced tChemaoltcy areas requirin the 
£ top management, it is now tine to focus on the 
COnsideracwons OhemmactWar.y conducting .a- rusk 
S 


The guidelines proviied in the next two section 


are general rules of Ehumb synoosized from Refs. 10, 33, 20, 


oma 21. Ree 
eae DON tor 


cation are 


£. 10, Aopgendix E contains the forms required by 


documepetng en activicy's f£isk analysis. 


Asset Idantification and Loss sxpectancy 
ASSEtSSWi Meme Tuner son as *a-Si:ngle Unit. Of apolz= 
identifiei as a whol2 asset SInceral Oi pes 


components must be working for the asset £29 be serviceable 
Likewise if any conponent is damaged, the entire 2zsset 
snould be equally as Likely t9 suffer tne same damage 25 «he 
eonmponcn<. Asset ilantification proceeds by raviewing zhe 
bread resour Gleejo Glesw 2scel 2h Tables Vand -by a34ing 
additional essets that are unique to “he activity. The 
S@eren: DON guidance states: 
For each asset defined, all _components of this asset 
pmoeuld be in the same phyiscal Beer rotected in the 
Some Manner, ani subject ¢5 jiama €¢ same threats. 
For example, Gor smde= 54x jgmage Satie uters as Six 
separate assets because HADAgS tO) 060one (Of on would not 
-mply damage “o all of then. Jn the one lela lalieysliol ys clon aliens 
Meee 2 Single cosnpucser as 2 collection of subparts 
because if One of these components wers +o fail, the 
entire computer would be daaaged to a similar fevel. 
exer. 10: p. E=-2} 
The level of disaggjgr ce ation and the method for 
determining the ioss associat2i th each asset are two 


areas whic 


meee rpreta 


Lh liao  Standarduzsd 2O.,Minimize 2ndividuai 


tions ani ioduble counting of losses. Some gene2ral 
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—— a a ee eee ee ee eee eee ee eee eee ee ee cee ee ee ee ee ee ee ee cee 


Asset Examples Identifiei by Resource Category 


The Sven Tartegories of Assets 


TABLE ¥V 


a a a) CE Ge ce Be gy ee eg a ee ee | 


| 
| 
| Categories Representativ2 Sampling 
Preormation System (audit trails, bootstrap files, 
performance staristics), Dl ees 
Nisbet eG, ch aicacclOn dasa, OULDUT 
i E2les), and backup copies 
| ; . 
j Hardwars Central processing system, storage meiia 
' (ds Kepicits,. © 4)cis, Garas), Spec*al 2n= 
| So omme ce =e Dn n=  (ESOncC Send =DrOGCSsSors, 
i Sewers acl oleae 6 / Uae VL Ces 
' G@ieenect, T=falzoals, disk adzives} 
| ; | 
| Softwar=2 Syst em (Operating Systéen, comp:lers, 
Pima weOUcCan es), Apol CAEL ON prodgrans, 
ani backup cooles 
{ ; ; | 
j Communication LSl= prone Ci ctsusst COMMUNE Cat2On “proc = | 
) 2ssors, modens, and multiplexors | 
| Personnel COnNDUser (SpSratoOrs, programmers), 
Dinewdnwmg (282 COGS, OUdEas}, Support 
(Cele Cres, So2e of eeca lt, Me nagocnen<, 
| bearer sany, Welertenance, ana users { 
memeenaSs trative Dosumentation, spezeational coroesdures, | 
~ sa ~ Na _ = ~o >= ~ _—_ ~~ 1 
| US=C GUsecScs, L/7) Dproceducses and tecogas | 
| a a e 
Physical Snvironmental Systems, Dia sae ngs, O2e...o 
2quipvpment, sudryplies and auxiliary power 


a 
| 
| 





guidelines cn the appropriate lavel of disaggregation that 

can serve as standards are as follows. 

eee Inrtormation c2quired t) oerform a2 singls funstion 
Seeurd be groupei accordingly at that functional level. 
Mi= 2S because only partial information is net suffi- 
Ment <Or performiag the application. FOr example, the 
Master and transaction filas of a payroll system anust 
both be availabl2 t9 issue paychecks. This same 
reasoning applies to the other soft asset categories cf 
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S su 
uléet, Malin Memory manag E/OSSURPEI Vise 24d SLh Ses, 
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which must all be Peocuts DOO opROrn ene ess woe 
managing the overall system. POmaOnSl i= Sach Componer= 
@as a separate 2ss2t would b2 incorrect because thay all 


act aS a Single unit. 

The urique identification o2f fixed assets is somewhat 
easier as their physical boundaries are visually recogni- 
zabie. Fixed ass2ts includ2= the categories of hardware, 


communication, ani physical assets of an activity, and 


{- 


PA 


are usually controlled by Elsa DNUNDSe=S ene “Cis =ocy 


tt 
fe 
s 


Garcs. AS with soft assets, ed assets are grouped 


tay 
© 
ty 


SecOrGing =O Whether they So ueresngLe- Aris. 
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fan 
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ows 
tin 
ct 


eecamDiCye he DSpefator coOnsol= oF a CONputer system 
be functioning, otherwise the computer system is inope 


able. On the other hani, Lf Mone tape drive 


t? 
ry 
AY) 
-4 


Maen cOrMeor Sax) Sterts £5 nalfumetzon, only chart 


ct 
pu 
'G 
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@eive is aiffectsd, not 2il o€ then. 
Mieco “ceMe 221g aSSet category cf personnel, ac 
Meiversel grouping method sxisczs 

decide based aps21 thsir Sa cecil lar 
@eeouping alternative is best. Some poten 
tives are by skiils, expecience, salary, de 


essegned, or job slassificacion. 


Deteritarayd. ene Joss of an asset requ 
areful attenticn to how essential it i Pes Pp pOL. 0 Gane 
Ssion and how much an activity will lose 1f it is dama 

The user expresses how essential an asset is by asSignia 
icality value that reflacsts the imp Vv 
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Pilazation of chat asset. AS expect 
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by all levels of management relying on that a 
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For fixed assets, Shee leSS Valuc fer moat: 
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rh 
ry 


mee OFIGi nal cost, 2£ cteplasenesnt cost. Addai Neu 
fesccruction, the loss value includes the cost of aa has 
MeewOut that asset. For disclosure damage, the user quanti- 
fies the loss by determining the worth sf the asset ¢9 
someone else, Such as a hostile agent (any unauthorized 
fees). The remaining area of denial of service is 
harder to quantify. One must envision a typical time 
Guring which the ass2t would b2 unavailable to satisfy 
user's demand for processing and estimate the maximum 
Perl0d that is tolerable for th user ¢> be without 
Service of that asset. Then, using these two timef 
one determines the estimated cost of getting czhat 
@eom a commerical tinesharing tompany, r2ealiz 
user with the shortast tolerable time perio 
critical need for service 
The sOimena Ss=uS OF information, software, and 


O 
administrative documesats and procedures are subject cto the 


Same four areas or damage (nodification, Asa 0 Ver ao De- 
@esclosure, and deiial of service) as rixed assets. 


However, in determining their loss values for mcdificacion 
SemeGescTuction, 2 iifferent aoproach is taken. Some soft 
assets of an activity are generated by an internal project 
Gam Or Created uniguely for 2 particular function of the 
wer. Vi-y. This means that if such an asset is destroyed, 
the loss value is estimated by the cost of recreating the 
esset and of doing without it. For modification damage, the 
loss value is determined by e2ither reéevalidating all the 
files or recertifying the aininistractive documents and 
procedures. To quantify the damage resulting from disclo- 
Sure or denial of service, tha guidelines given for fixed 


assets are apprcepriate. 
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Wee et eee os "o0tene i fys2ng =he loss vaius of 
assets for which there are ae Sp32 Of dip li Gare 
©) 

which there is @ spare, tneéen the loss dus to destruction is 
Only the terminal's replacement and installation cost and 
Goes not include the cost of not having the service avail- 
able. Tf no spar2= is available, then the loss from 
destruction includes all thres rtosts. Likewise, some soft 
assets, such as centrally desigaed software or off-the-shelf 
documentation, are 2asily replaced from another activity or 
commerical vendor. For example, if an application system 
Bere awWhich taere is a Cupitedse, YCOUy LS -“MocLt.S4960r 
destroysd, then the loss valu: Oniy includes the overhead 
mma computer rurning time need2ei to install the backup. The 
Peoeme 215 that tne loss valus sf assets for which thers are 
replacements must only rcetlect the cast to nstall the 
backup and replace it. That cost might include the 2ddi- 


fee SOStS =<c bring the backup version into operational 


uSé. 
Ween quaatitying tase loss vaiwe of personnel, 
oné takes into consideration th2 availabilicx- oa 6(() ae Xe 


e 
personnel, whether unique tralnieg or knowledge is requicted, 
mirene activity's w2dility to absorb the loss based on th 
current number of skilled persoanel. 

PieSUNMery, che amportance of this ¢t 
be overemphasized since the data collected dra 
atfects the analysés. The implementation consi 
presented should be viewed as a baseline for the risk 
analysis team. Many additional constraints and gu 

re uniques +o each particular activity ani must be identi- 


fied and documented. 
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Deh iieac eam Vulnest ols cy Svelueoicn 


i heaps ave Ole S=ct Lonny guidance was given on 
@teantirctyirng the loss expectancy of assets. Ths Ss So ton 
addresses the opposite sile of that task: NOW ah aC 2a Viry 


identifies the potential problems and hazards of running a 
data processing environment. 

The risk analysis team begins by marking those 
assets critical to the activity's mission and adding those 
additional cneS whith might be very attractive to someone 
Sxternal tothe activity. Someone may want the 2ssest 
pecause of what could de gainei by corrupting its internal 
@Momeen s, learning its function or méaning, or denying the 
activity possession. 
mark 


With the assets just dG Bare an an ai, the team 
A 


ct 0 


m 
mer considers all th= potental threats that, if real 
Seagigd inflict damajg=2. On] starts weoy considering <he 
possiole adversaries that would tak d 2 © 
Baoety t2 attack ths activity. Basically, this mé¢ans 
[Mise2ang tne nost likely thmest 3 ( e 
myecors, ailthorized isers, 2ni hostil = 
mee=ng Oh how they could aurt the a 
Rom COUOlst “pens —SSV2 SW, ic gs Prudent “£5 “ask 
where might each attack occur, such as at the computer main- 
[rame, remote terminal, programming offic2, or tape library. 
MaGgatzonally, one should ask when might it happen: ae og 
normal working hours, on holidays, Hist. gaeteet oo Shere 
change, or during an 2mergency such as a systém crash, power 
Meeerure, or fire. IVE OLnG Ehiuswadd2 tonal review, D> 2en= 
tial threat scenarios can be documented and evaluated. _ 
Having listed every plausible threat scen2rio, 
the team determines how the pot2antial attacks could hara «he 
wee=Vvity. This refecs back t> the four treat impact 2reas 


Seemodification, d=Struscon, ada sclosire, ade die nasal. * fOr 
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acmining the impact areza, ar 


ct 


SErVIice. ied GGlveonmwet d= 


evaluation is mada concerning aow often a threat might be 
perpetrated. Piicmeviam enon YeCOunes. ESP the propabi lity 
Memeach scenario occurring, given the existing ADP security 


Pes eure of the activity. 


(D 


In sumnacy, one ijantifies threats by consid- 


ering those threats that: 


Sena vye been known €) oscur at the activity in the past: 
machine failure, theft, syst2n crashes, information loss 


and vandalisn; 


Mumemee. «=CCSUC With sone Teassnable orobability in the 
Meographic area: fire, earthquake, and flood; and 
aeOc- enc enetady Jor rors wee 


ear 
meecould result ro32 acc =dsn* 
humans. [Ref. 22: p. 32 


AS a Starting point, some threats whi 


Bommen tO the current data proztessing enviro 

Meeced in Tabie Vi. Additionally, the impact arsa(s}) isse- 
ciliated with the realization cf 2ach threat is(are) marked 
Becerad ingly. The 2xkamples arz a representative sampling 
Which the risk analysis team can use as a checklist of 
potential threat areas. For a nore exhaustive threat evalu- 
@a-.0m =he reader is 2ncouraged to read Martin (1973), NBS 


.) 
Mees Ss) (1974), Ref. 20, and Ref 22. 
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B. MANAGEMENT DECISION 


In this phase of the Risk 4anagement Program, activity 
top management judges whether the level of risk attributed 
to the data processing environment is acceptabie. 

Before making that judgement, *op management appraises 
Me] ~1isk analysis. This appraisal includes conducting a 
sensitivity analysis on the jata used to substantiate the 
Moral ALE and evaluating the tethnical merits of the overall 
me@eiysis sffort. The Sensitivity analysis determines what 
effects changes in th2 estimatei data can have on the Totai 
ALE. The technical merits tan be evaluated bv asking the 


foliowing types of qu2stions. 


e Did the users participate i2 estimating the loss expec- 
csancy of assets? 

e Was the risk anaiysis team adequately skilled and experi- 
enced to make the appropriat2 assumotions? 

*« are the results realistic ani defensible? 

e Can the results be replicateji by another team? 


Sere the calculations perrorned correctiy? 


® Were the existing countermeasures sufficsiantly considered 
in the analysis? 

®e Did the risk analysis team aiequately consider the activ- 
=ty's missicn and users! dspendence on automated support? 


Ieeeche results of the risk analysis are not acceptable 
top management identifies the isficiencies in the analysis 
and reinitiates ths Risk Analysis Phase. If the results are 
acceptable, top management approves the risk analysis. 

After the risk analysis is approved, top management 
determines whether all mandatory counterneasures have been 
implemented. This is done by comparing the list of nanda- 
tory countermeasures with exis.) ones documented 


h 
M@eeng step 2 of the risk analysis. 
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Top management next evaluates the Total ALE. The deci- 
Seon of whether the Total ALE is cceptable depends 
exclusively on th2 amount of risk that top managemant is 
Willing t> assume, given the ac*tivity's mission and users' 


dependence on automated support. Many judge the level of 


ct 


risk as acceptable when the 1o5sS per year 1S so small tha 
the activity's overall misSion is not Significantly degraded 
if threats are realiz2d. Since each activity has a unigne 
combination of assets, vulnerabilities, personnel, and 
security policies that establishas its data processing 2nvi- 
ronment, no universally accepted ALE is appropriate for all 
Mmeevities. f[ Ref. 23: pe. 2] 

The pertinent idacisions relative to this phase are 
modeled by the decision tabl2 in Table VII. The table 
Geeye aged intc two blocks (conditions and actions). The de 

2 


‘ai 
}~ 
U)} 


i 


2c 
Mmeepecadic is read by IF condition 171 AND condition AN 


1o 


meas i0n 3 are truss, THEN tate the action marked. when 
evaluating each condiition listed, NOce wena) the Co lun 
Bier iesS indicate the conditional states of satisfied (T), 
not satisfied (F), or has no bearing (-). Pie acc7 Orso Lock 
lists each decision réiavant *0 the various conditional 
Beectes. The action column entry "X" indicates the action to 


be taken while a blank implies no action required. 


C. RISK CONTROL 


1. Model 

The Risk Control Phase is concerned with seleccing 
additional countermaasur2s £5 improve the overall ADP 
Security posture of the activity. Countermeasures are 
Semeected Which reduce the fregiency of particular threats, 
Minimize the loss expectancy associated with particular 
assets, Or provid2 an alternative maans of automated 
Support. Countermaasures ar selected by an iterative 
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TABLE VII 


Management Decision Nodel 
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| | 
| See A es ie er ! 
| \¢ 5 } Risk Analysis Creiibie | Tj] T({ TiF | | 
| | ; | and D2fensibls | | | | 
| i Mandatory Counternea- Zh ab Ie = 
| | a | sures Implemented | | | 
| | : | Total ALE Acc2ptabl= | T | F | = | - ! | 
ak ee ps | 
| | | Reahitrate Ras k | | | | | 
A Analysis ?hase ' ae on, i 
| inst sete oe Cont ok | | | | | 
ie Popeye 
| (on | Initiate Jperati onal | | | | 

| s Continuity Phas2 es ae | 
ms il = ee | 
ee ne ant t ete | 
| 
| 
aah i SEI RO = 


precess, inwhich st2ps 2 and 3 of the Risk Analysis Model 
meemerepea ed until tha projectei Total ALE is reduced to an 
acceptable level. Phase eroCsess 88S Sxecutsd stsratively 2n 
order to ensure that the set of selected countermeasures is 
the optimal set. 

There are sevaral constraints affecting the process 
of countermeasure selection. The NOSt Si 0nie= came 
constraint is ‘the raquired selection of countermeasures 
Which are designated nandatory by higher authority and must 
be implemented regariless of any other criteria. slomertel— a 
Serority 1s defined as the Designated Approving Authority 


Beoethe Organizational chain of command in the DON. 
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The second constraint is that each countermeasure 
should provide a positive return on investment. VR eS, 
moe reduction in Total ALE (an annualized figure) as a 
result of the implénantation of a countermeasure must be 
greater than the annualized cost of the countermeasure. The 
ammortized cost of the countermeasure is computed as the 
annual operating cost plus the annual portion of the one- 
time costs associated with that countermeasure. The annual 
portion of the one-time costs is the sum of the development, 
implementation, and/or installation costs, divided by the 
number of years in the anticipated life Oz the 
countermeasure. 

Deen rours Sce> model -~of the Eisk sontrol phase is 
Peesen*ed in Teble VEII, ani dascribed in more detail in 
Mependix E of Ref. 1). tep on2 is the examination of those 
countermeasures mandated by higher authority. Those coun- 
Mmememeasures are placei at ths top of the priority list for 
implementation. If the projected Total ALE with the manda- 


tory countermeasures, i 


" 


less than or equal to the maximum 
meceptable Total ALE, the Risk Tontrol Phase is completed. 
ies ene projected focal ALE after implementation of 
Mandatory countermeasures is stili not acceptable, addi- 
tional countermeasures must be selected for implementation. 
The selection begins by finding the countermeasure which has 
me greatest potential cf lowering the projected Total ALE. 
The process of selecting the 132xt best countermeasure is 
Bepeatec until the projected] [Total ALE is reduced *> an 
acceptable level. The process is iterative because the 
amount of reduction associated with each countermeasure is 
dependent on the othr countermeasures praviously evaluated. 
This anomaly is similar to the "law of dininishing returns" 
when two countermeasures affect the same threat frequenciss 


Cr ioss expectanciés. 


Do 





| TABLE VIII 
| Risk Control Model 
Objective: 
Snoese Cl through 2) Sd that 
Piemeete tt f 5) +oeet i) S MATALS 


mabe (5 + + Cy +...%+ Cy) 

Waneoeex lt Stang Coua 
counterneasures, 3 
Sures 1 through j 


= Projected Total ALs& 
termeasures, mandatory 
nd propos2i countermea- 


* Necessary means nandatory and additional 


| 
BY s 
| 7. Survey ail mandatory sountermeasures. | 
| i oe + MSA Abn yoeGe.to Step 5. | 
2. Choose countermeasur= C1 such that: | 
| TALE (E + 4 + C1) iS ninimized, and | 
| Pest ee Cnet Et Bb eel) > Cose (C1). | 
| 
ie oer eM Sd) S MAE ALE Go t5 "step 5. | 
| 
Bs Ghe@eerahother COUNntT=arNeasSure, Cj, such that: | 
| Pines fate Gl +o. ts Callas Manni Zeaq,. and | 
| Thine (fh eee tele +o 4. C2) | 
eG be teeters, Gg), > COSt {C4)s | 
| Pee eth fet nf Cl tose ey) 6S MATALE, | 
( gO Te Step Dd. | 
| 
| fe «6RS peat ss2Dp 3 until; | 
| Tee (ie te eee tee fC) 6S MAPA DE | 
| 5. Develop Plan of Action for implementation of | 
| hnecessary* counterm22sures. | 
Wher2: | 
Mabe (s + M)-= Prejected Total ALE with existin 
and mandatory countermeasures (annual 
| MATA LE = Maximum acc2ptable Total ALE 
: Cost (Cj) = Ammortized cost of countermeasure Cj 
| | 
| | 
| 
| 


: 
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Painaliy , tha optimal set of countermeasures is 
pricritized and scheiuled for implementation. Top manage- 
ment is responsible for approving that recommended set of 
aeaaetional countarn2asures and their implementation 
schedule. Those csasiderations addressiag POD t124 200 


are provided in the following section. 


2. Implementation Considerations 


The objective of the Risk Control Phase is to 
previde an approved, pridritizead optimal set of countermea- 
sures which, when implement2d, lower tha Total ALE of an 
activity to an acceptable level. The task is not a Simple 
one, and requires that managamint devote adequate resources 
in both expert manpow2r and tims to accomplish it. Several 
considerations must b2 made during the selection of counter- 
measures for presentation to naaragement. 

The first consideration, as discuss2d above, is the 
selection of those tountermeasures which are designated 
Mandatory by high authority. f22 SPLICE natwork and iniivi- 
Smet SPLICE locatidas are rcsguired t5 implement those 
countermeasures listed in Appendix J of OPNAVINST 5239.1a 
Meets 10] and NAVSUPINST 5510.6A {(Ref. 15]. Additional 
Mandatory countermeasures may be identifisd in future revi- 
mers Of the SPLICE Security and Risk Anaiysis Pian 
meet. 17/4. 

The second consideration concerns the cost- 
effectiveness of Saci counterneasure. To be a candidate for 
selection, a counterneasure must have a postive return on 
investment. That is, the ban2fit realizsd by implem 
the countermeasure must be graater than the ammortized cost 


fet he COUntermeasure2. 


DiewnineaecOnusideration in Comp2aing a set of candi- 
date countermeasures concerns the reasibility of each 
countermeasure. Those countermeasures Which the Task 
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control team judges infeasibl2 due +t+9 such things as 
Meogcaphic location or technical limitations should be docu- 
mented as "consid2rsi, but judged intsesible." Phot ough 
documentation and nanagem2nt participation is crucial during 
this feasibility review to adéquately address activity 
budgetary constraints. For those countermeasures judged 
feasible and practic3l, top management initiates the appro- 
priate planning ani budgeting support needed for their 
implementation. 

To ensure that th2 optinal set of countermeasures is 
proposed, the risk control ¢2an analyzes the results of the 
risk analysis fron several perspectives. Mie Netatk Of 
assets and threats iS eéxamin2i to identify those threats 
with the greatest potential for harn, in terms of their 


threat frequencies. Specifizt countermeasures should be 


(n 


considered which reiice the Llikeiihood cf those threat 
Securcring. 

Additionally, the téam reviews the matrix to iden- 
tify those assets with high loss expectancies. ite 


1 
impertant to recall at this point that the loss associated 


meen an asset is not limited to the replacement valus of 
that asset, but is often compdsunded with the value of the 
service that the asset proviilés. Thos2 countermeasure 


Ss 
which minimize the idss KXpectancies associated with assets 


(Dp 


f- 


Should be considered for implenentation. 


Pedy. “JlobDal ansoSc=ion of the risk analysis 
must be taken. During this inspection, top mMmanagenent 
reli-es on the technical expertise oft the risk control t2an 

and 


2o identify ‘those vulnerabilities that allow a variety of 


mo, "read between the lines" of the asset/threat matrix 


threats to materializ>. The forms requir2di for the evalua- 


tion of countermeasur2s are provided in Ref. 10. 





As explained in the Risk Control Model, oroposed 
countermeasures are selected in an iterative process. 
Countermeasures are normally targeted to reduce the vulner- 
abilities of an activity and, when implemented, usually 
affect multiple vulnerabilities simultaneously. Due to this 
overlapping result, the effectiveness of a countermeasure 
must be evaluated with respect t> the entire data processing 
environment before determining the total benefit that could 
be realized. Additionally, the implementation of a counter- 
measure could in sone situations generate a more s¢rious 
vuinerability than that which the countermeasurs was 
intended +o correct. Miewenes SaullaclOn, » actlvit OD 
Management must deciie if th2 banefit gained outweighs the 
weakness created. For exampls, 2 recommended software coun- 
termeasure might reguire multiple, lengthy passwords 9 
improve access control. Uneorrunare: vy. passwords of this 
Nature are often written down and tap2d to terminals, 
Mmereby negating the 2ffectiveness of passwords and creating 
a greater vulnerability. 

wren the projectsd YTotal ALE with the additional 

S 1 


countermeasures considerei is less than the maximum fot 


$d 


ALE acceptable, Se, Se vecll on Gor countermeasures is 
completed. The next task of the risk control team is to 
develop a plan of action for implementing the set of 


selected countermeasures. Tne isvelopment of this olan will 


Vv 
be guided by the availabilit and timing of those resources 
required for counterm2asure implementation. When the se* of 
proposed countermeasures anithe implementation plan is 
approved by top management, the Risk Control Phase is 
completed. 

Recent ADP security literature provides documenta- 
tion on a variety of countermsasures. A iilscussion of many 


of those countermeasures is provijed in the next chapter. 





D. OPERATIONAL CONTINUITY 
1. Model 


Like the Management Decision Phase, the Operational 
Continuity Phase is modeied by a decision table. The table 
is applicable at any time during the phase, which can b2 as 
long as five years. Since the Risk Management Program 
requires continual review of thea ADP security posture of the 
Mem vity, the decision table should b2 consulted on 4a 
continual basis. 

Some elements of the dasision table, which is given 
in Table IX, deserve amplification. When an activity enters 
the Operaticnal Continuity Phas:2, a request for accredita- 
tion is immediately forwarded t> the DAA. If the activity 
has no countermeasures which must implemented, this initial 
request can also b? sonsidered a final request. If néces- 
Sary countermeasures are to be? implement2d, then a final 
accreditation request will be sibmitted when their implemen- 
tation is completed. 

meGOrding £5 Ref. lipmeeaewaoct ve ty TUSst conduct a 
tisk analysis and be accredited every five years or whenever 
there is 2 significant change in the system configuration or 
mecaility. Pnererosrs;, a "NoOtaSsatistred"™ = (F)s an either of 
these conditions reqiires initiation cf the Risk Analysis 
Phase, regardless of any other sonditions. Eee livoe eS once 
the Operational Continuity Phas= can be entered from either 
the Management Decision Phase or the Risk Control Phase, 2 
likelihood exists that the imolenentation of countermeasures 
is happening simultaneously witi the daily operation of the 
activity. The respoiasibilities and authorizations needed to 
implement the necessary countern2asures is addressed in the 
Implementation Consii2rations. When the Plan of Action for 
implementing the nec2ssary count2armeasures is completed, a 


Memmest for final accreditation is submitted to the DAA. 
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2. iImplementatioa Considerations 


When this phase is entered, activity top nanage ment 
has approved the results of tha Risk Analysis Phase, and, if 
the Risk Control Phase was execited, has approved a list of 
necessary counterme2asures and their implementation plan. 


This review and approval docunentation is submitted to the 
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When all nec2ssary countermeasures have been imple- 
mented and a reguest for fiaal accreditation has been 
submitted, the DAA 2valuates the effectiveness of the new 
countermeasures by means of a 5ecurity Test and Evaluation 
fer) (Ref. 10: p. 3-6}. After the STEE, the DAA responds 
to the accreditation reguest by assigning each ADP systems 
to one of the three categories Jiiscussed above. 

The Operational Continuity Phase is terminated when 
Policy dictates that another risk analysis is required. At 
a minimum, the Risk Analysis Phas2 will b2 reinitiated when 
in the opinion of t29 managenaait there has been a signifi- 
cant change to the configuration (hardwar2 or software) or 
facility, or when there has been a lapse of Live years Since 


the last approved risk analysis. 





TV. TECHNICAL AND HANAGERTAL COUNTERMEASURES 


As stated previously, th2 current data processing envi- 
ronment is viewed as a collection of assets. TOL ps cet 
these assets, various techniztal and managerial security 
mechanisms are implenented. Technical countermeasures are 
those internal hardware, softwar2, and communication protec- 
tion mechanisms that are peculiar to the ADP system and are 
best addressed in the overall system dasign specifications. 
Managerial, also talled conventional, countermeasures are 
those administrative, personnel, and physical mechanisms 
that are commonly required for the protection of any envi- 
mMemment, attomateld or not. Managerial countermeasures are 
implemented throughout the system's Life cycle and are often 
usec ue enhance the effectiveness of technical 
countermeasures. 

The ADP security policies White LHGUStEY @nidSrces 
through the implementation of technical ani managerial coun- 


tTermeasures are: 


®e all users and devices requir? positive unique identifica- 
mon and verification (autheatication). 

Meas! interactions invciving iséCs, devices, and other 
named system elements will b2 controllea by an authoriza- 
feet Strategy (access control). 

e all activity within the ADP system should be observed so 
that users (authorized or adt) can be detected and held 
accountable for their actions (surveillance). 

e all elements of the ADP system will function in a cohe- 
Sive, identifiabls, predictable, and reliable manner so 
that malfunctions are detertted and reported within a 


knewn time (integrity). 





The countermeasur2s discuss2d in this chapter are organ- 
ized by the four ADP security policies presented above. The 
countermeasures ar2 19% ldjentified specifically as technical 
or managerial becaus? a sombination of both is required to 
enforce an adequate ADP security policy. For example, the 
authentication polisy is often achieved by implementing 
passwords. For passwords to be effectiva, ‘they require a 
software mechanism t> accept and recognize passwords and an 
Memenistrative contral to properly distribute ard audit 


their usage. 


Ae AUTHENTICATION 


Authentication countermeasures prohibit the use of 
system resources by unauthorized users cor devices by 
verifying the uniqu2 identity of the user or device before 


servicing a request. 
1. User Authentication 


User authentication is essentially a two-step proce- 
Mime ot adertity definiticn and identity verification. tp 
Mie Lirst step, the user proviies his or her user identifi- 


Seenon number and oassword during initial log-on to th 


(D 


system. In the setond step, the systen performs a table 
lookup and verifies that the password provided correctly 
Maes to the user identification number. Additions Liv, 
administrative controls ensure that eash identification 
humber/password combination is 2ssigned t25 only one user, 
Smoeenat the user has not provided his or her unique number 
and password combination to someones else. 


User authentication can be perforned to some extent 


at the phvsical security level by such controls as: guards 
stationed at phy sical aqery BOLNtS; personnel 
Segn-in/sign-out logbooks, jg mectoced—-st Tr Clat- MOnL Tors. 


Ur 
UI 





These physical security counterneasures aca not sufficient 
at the ADP system lev2i, particularly if the system supports 
remote terminals or n3twork comnunications. As an example, 
Siem a user submits a batch job to the data processing 
center in person, his or her id2ntity can b2 verified. When 
that same batch job is submitted from a renote terminal, the 
user's idantity is n> longer assured. 

There are three methods for verifying a user's iden- 
ety. These methois, which san be applied singly or in 
combination, are bas2i on: 


e something the person knows (3.9., @ password, a combina- 
a 


= 

men to a lock, or a fact about the user's personal 
background) ; 

memcomething the pearson has (3.j., a badge, a key to a lock, 
Grama Card with Shine readable information); or 

* something the érson is ZA Sem her “Signature, 
speech, hand geomatry, or fliagerprints). PRete., 249 3 - “pps 
8-10 ] 

Sever2l comn2rcially diveloped avic 
memeng personal attributes susth as fingerp 
geometry are available. However, che cost o 
Suck countermeasur2s make them inpractical for no 
tralized data proc2ssing environments hike: the SPLICE 
Network. ie wpracuLoality of ~Chelriinplsmentation dapends 
on the cost of the countermeasur2? in relation to the amount 
@emeepLrocection needei to lessen the activity's potantial 
losses. 

The most Widely accepted countermeasure Eos 
Sieeseing an authantication policy is the assignment of a 
unique user identification numbar and password. The user 
nhumbér is entered via a badg= or card, or entered from a 
keyboard, whereas the passwori is generally entered only 


from a keyboard. MemedGieeron - 25> ets use In eutnentication, 
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the user's identification number is also used in mainta 
meegournmal of his or her activities. Passwords, urfo 
nately, have many potentially damaging vulnerabilities. 
Some technical and managerial countermeasures that have been 
recommended by Courtney [Ref. 3: pp. 40 -43,], NBS (Ref. 24: 
Bees o ~ 12}, and Shaaker . Ref. 25: p. 30,] as appropriate to 


counteract the vulnerabilities Xf passwords are as follows. 


e Password Generation and Selection - Passwords should he 
comprised of a sufficient nunber of characters and gener- 
eted in such 4@ manaer aS t> assure a degree of protection 
commmensurate with the value of the assets. They should 
be generated randomly, sd that no association with a 
particular user can be detasted. Bernan has suggested 
that password generation be based on the concept of 2 


iyaeeuel password" [Ref. 26: pp. 97-104]. The password 


D 


-s created at tne time the user identifies himself or 
herself to the system and is based on the user's identi- 
meeaciOon number, social sesurity number, and, in some 
cases, the user's dspartnznt number. Rez. 26 also 
provides @ sample algorithn that is suitable for gener- 
ating a "virtual password." 

e Fassword Distribution - Passwords for accessing the ADP 
system should be iistributei only to users meeting the 


Peeesystem’s neei~to-know and need-to-utilize criteria. 


iD 
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The use cf a unigqu2 password by a user to access the the 
ADP system, the aoplication system, and the nétwork is 
endorsed by industry and is used by several command and 
controit ADP systems within the Navy. Biers Tt eraren yao. 
access requires that the user be authenticared az the 
system, application, and network levels. Each password 
should be personally delivered to aiuser with instruc- 
tions to memorize it, or it should be transmitted over a 


Secured communication path t> the user. If the password 





is transmitted, then either the user should imm 


(D 


diately 
initiate a password chang? or, if impleanented, an auto- 
Matic password change routine should be invoked :2fter 
eeetial log-on. 

Password Storage Protection - Passwords are usually 
stored in a file located in main memory. Ties vir lexis 
therefore vuinerable to tanp2rinag. To protect the pass- 
word file, an AppropriatS counterme2sure is +o either 
encrypt the fil2 using the Data Encryption Standard (s¢e 
mem. 27) OL pass the file through a hari-to-invert trans- 
norma tion algorithm. T1232 algorithm should be 
eae riciently difficult to orevent @ code breaker fron 
successfuliy breaking the coi2 with a reasonabl>= anount 
of time and resources. 

Password Usage Protection - Passwords #ntere Via CR or 
printing terminals should b2 preventei from display by 
masking the keyboard respoas:. Kodiciaaellv, a Security 
alarm or a terminal lockout should be generated automati- 


cally after a specific nunber of unsuccessful access 


attempts or a specific tine iselay has eslapsed since the 
last access attamor. In order to uncover possible unau- 
thorized usage of a password, 12 is suggested that each 


user be shown a record of the most recent accesses und=r 
Mes Of her password upon isj-on. To protect passwords 
G@uring a communications transmission, @an appropriate 
countermeasure is to use eithér an encryption technique 
Or a protected COulMUMmuesr= MONS padast es biecen sy sten 
Meet. 10: p. F-39 j. The system should also respond in 
the same manner to.a valii identification numbsr and 
invalid password, as it does td an invalid identification 
humber and invalii password. This prevents a user, who is 
attempting an unauthorized access, t9 Know whether the 


Meme: 1 Cation nunber is valid or not. 





e Password Lifetine - Passwords should be changed perinsodi- 
cally, since the likelihood o£ them being surreptitiously 
discovered increas2s with tins. Also, if a password is 
compromised cor a user's access right is revoked, then <he 


password should b= immedia invalidated. 


ct 
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2. Device Authentication 


Besides authsaticating an authoriz2zd user, the ADP 
system should be abl2= to uniquely recognize devices that are 
requesting services. This is particularly important when 
evaluating the threats posed by remote or portable terni- 
Mais. An appropriate technical stountermeasure is to reguire 
each device to be eqilpped with circuitry which will respond 
automatically to an interrogation command and transmit an 
memtstication coils. [This handshaking between the ADP 
system and the remot2 device is accomplished either by an 
exchange of identification coies or by the successful execu- 
meon, Cf a particular algorithn. TiewesomentaCacten Code, 
also called a security cod?, should identify the particular 
device and ba unique within th2 systen. Tyas - “oe Ehs2sea 
system-wide journal to maintain a log of accesses by device. 
Mee dgevice's circuitry should be eEOrscred in tam per- 
resistant housing, and, teeene SatOune Of protec=ion 


warrants, the transmission shouli be protected by encryption 


or a protected communications Gasite oUt On system. 
Meet. 24:3 p.22] 

If the syst2m servic2s devices which are not 
Girectly connected, Meomsnould wiemaucapatien ot INGtiati ng 4 


call-back procedure that verifies the device's identity. 
This call-back proceiure makes ise of a ramote access list, 
Which must include device identification codes and a set of 
authorized logical addresses or telephone numbers from which 


each device can originate a ragauest. Implementing either of 
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these countermeasures will enable the ADP system to guard 
against an unauthorized davica nasquerading as an authorized 


one. 


Be ACCESS CONTROL 


Access control scountermeasices enable properly identi- 
fied users +o access only thos2 system resources for which 
authorization has be21 granted. imate ronally; awthoriza= 
tion in conventional systems 4as meant that every systen 
element is automatically graated access to every other 
system element, unless sp2asifically DroOhmebited. ithe 
Goncrast, ADP systans base authorization on the "least 
privilege" principle, which states that a system element is 
expressly prohibited from acc2ssing another elémeant, unless 
authorization has beé221 explicitiy granted. ies DiPitc dee 
femacts the damage that can result from srror or malicious 
attack and restricts the access of system elements to a 


protective domain. 


Before discussinjy the design considerations for 2ccess 
control mechanisms, an e2xplanation is required of what 
Semeciwutes a subject and an object. A Subject is an active 
entity in the ADP system that corresponds to a rocess or 
task acting on behalf of 2 user or the operating system. An 
object is either a software craated entity which represents 
mmeomrection of information Se deghte =.=, direcrory 4 Hor 


program) or a hardwace recognizable entity like a terminal 
Or special-furpose r2jister. An access natrix conceptually 
represents what subjacts can aczsess what objects and speci- 
fies what access rigats (read, write, delete, etc.) the 


Subjects have to the objecrts. 
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Mmemenccess Contras! Design Considerations 


—_— <> ~~ ae a ee Pe oe — = a oe eee ee ee ee ee Se oe oo 


The design of acc=ss control mechanisms is based on 


three considerations: [Raef. 28: pp. 192-217] 


e access Hierarchies, which automatically give privileged 
subjects a superset of the ascess rights of nonprivileged 
subjects. Privil2ged subjests are thos2 active entities 
of a two-state mathine that operate in tne supervisor 
G@OMmain. A Subject operating in this donain has access ~ 
all objects in th2 system, can create and delete objects, 
2nitiate and terminate us2r processes, and exécute orivi- 
leged instructions not available to subjects operating in 
the user domain (nonprivileg24d subjects). For *xample, 
processes in the supervisor jiomain c2n change process 
status werds and 2xecute I/) instructions, while <zho 
the user domain can only request those servic 


provided on their behalf. 


Src nOrization Lists, whith associate with ¢3ach object 
mmose Subjects which have access rights to it. These 


Meers are typically used <*> sFstect owned objects Such as 
files and data. 

Mec apabilities, Wiel arom ce "ra eckersl'e. for obj eces: 
MeesesSion of a cipability unconditionally authoriz 
Molder access for all assaciated objects. Hen’ Heater 
Memds, associated with each subject is a capabilities 
list which specifies the sibject's access rights to 4a 


mest Of chjects. 


Access controdl can  »b3 segregated into s2vesr 


t?- 


a 
MewelsS: system, subsystem, tils, record, or field, where the 
ie 


Subject's access rights are delineated at 2ach level. Wit 
an access control an2chanism i2sigred to nediate accesses 
2 


down to the field level, gesater i2akslahood e€xists of 


~ 


Meeectng a violation o92r misuse of system resources. 


Un 





However, such a design Significantly increases the number 
and types of accesses to be verified and generally leads to 


a degradation of syst2m performance 


Bee ACCESS Control Lmplemeantation 


aes = ae a@ee 42 28 ee SF ee oo = a= 


Access control counternessures are implemented by 
software routines which 2execat2 in the supervisor domain, 
and are invoked by th= file manager to grant or denv access 
wher symbolic references ars made between subjects and 
Sp jects. hem sSnOWn, 2 BiguresGssl hehe aecess Control macrix 
Maerntifies ail subjects and objects in he system and 


od 
defines their relationship. If the matrix were directly 
n u 


vp 


impiemented, tne tim2 regquired to. valid a 
could be unreasonable due to the potentially large number of 
empty spaces in the natrix. 

Depending on the systen software design, the access 
Memtrol countermeasure, which enforces the ralationships 
Meeected -n the matrix, can b= implemented in different 


ways. One approach iS to orjanize and store the access 


" de 


-_ 
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relationship from th2 subject's perspective, thereby 21: 


Maesnhg empty Spaces in tha matrix. MisapetSpect ive which 
memeecait’ed a capability-l1:is EP 1 -ao 2 On wee ma Nr asnsS 4 “cCapa= 
Meeecty list for e2acth subjec JeVinGgsesoth cne sub jec=t'sc 
@e@eessS rights and its related objects. The advantage of 
Mee dpproach is that once ths subject's capability list is 
retrieved, the time required £> validate subsequent access 
requests is minimal. (Reem Oc Pele nee 1 CO TROT 4 “=2920 Fp, 
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A second approach is td Organize ani stere the rela- 
meonship from the sbject's persoective, where once again the 
empty spaces are elininated. This perspective, Whe ona S 
Mmmereac an authorization-list orientation, maintains w 
each object a list or authorized subjects and their respec- 


tive access rights. Tie VaeveatoacemoOr <has eppreach 25. =2n2t 


Ue: 
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a | 
Figure 4.1 Access Control Matrix. 
once an object has b2en requested, further requests for the 


Same object can be r2adily procassed. (Ref. 29: p. 169] 


Zach of the aoproaches iiscussed above has a serious 


Maintenance ’ For example, when an object is removed 
Meee subject's access rights are changed, an exhaustive 
search 1s needed to update all 3ffected entries. Ths 2s 


very ‘time consuming when usinjy alist based strictly on 
Se her capabilities of authorizations. Ref. 29 recomnends 
an authority-item approach to overcome this deficiency. MIhe 


approach is explained as a method for 


SeganiZing the acc=ss control information into authority 
ateems, each of which corresponds to a user (subject). 
ee POTS. every resource (Sbgyect) ah “aneatehorz—y 

tem is linked with the sam= resources (objects) in 





Sener Eat BoOre Ltems. | Thus, Pie Salen Or lity st em 

approach su Seeeciabebmoemty lists direstiy and eccess 

(abthori zation) hes css nat rescly through linkages. In 

+his way Slearen Je pauenoeity items due to removal, 

changes,’ ans hee eine need not be exhaustive. 
ef. 


Regardless of the approached pursued, the overriding 
consideration is to reduce thea tine needed to grant or deny 
an access request and to provii2 a flexible mechanism that 
can readily adapt to the dynamic interaction between 
subjects and objects. FOr 2ddi<tOnal information on 
ditferent imiementations of acsess control countermeasures, 
mye WOrks by Stiegler (1379), Bae ar (1930) and Gladney 
(1975) are recommended. 

The implementation approaches presented above were 
directed towards alternative design proposals for the access 
@eutrol function. These same considerations apply egually 
as well to the desiga of a data base management system since 
femeelsO iS concerned] with ansuring that only authorized 


uSers gain access to resources “Ref. 303 pp. 229-252}. 


C. SURVEILLANCE 


The surveiilancs countern22sure G2=eects arg” teacrs 
mepcepriately to any internal system activity that it hes 
determined may constitute a security threat. Wipes Or cS ao 
determine the source df this threat, the systen on a 
means of achieving strict psrsonal accountabi 
users (unique assignaent of identification numb 
Surveillance countéerneasure neeis the capability to concur- 
Mently perform two functions: *hreat monitoring an 
security auditing. For the cointermeasure to be effective, 
the events to be nonitored 223 logged must be approved 
during the design oF the ADP system and the capability 
implemented prior to its operational use. The surveillance 


countermeasure is usually implemented t5 operate in the 


74 





privileged domain and, like ail other system sg 
reguires protection from unauthorized modific 
tion, Gisclosure, or ienial of service. 

mieseat Monitoring 15 the real-time detection of a 
successful or attempted panetration of the ADP systen. Thea 
threat monitor observes all user and system interactions to 
ensure that the proser actidis and responses are being 
exchanged. If the monitor datects 4 security violation 


vent and take some 


(D 


{penetration attack), it must racord the 
automatic action, dzpending upon the sevarity and effect of 
the violaticn. Dit swoCe LON cou Gurange. | from prin cing. Ja 
security alert message on the dperator's console to sounding 
Semeealarm in the ADP Sacurity Officer's location. rn 
@esigning the monitor, ons must address what information, if 
any, should be returaed t> the iséer attempting +9 compzodnise 
the system and what the disposition of the user's program 
should be if executida had bean initiated. 

Security alidicingy concerns the logging, analyzing, and 
Mem@orting of security-related events, in particular, any 
attempted or successful security violation. The 2599200 
mmmecaion collects aad r2coris in a historical file such 
Bmergs as the user's identification nuaber and ti 


n 
log-on, the devices from waich the user has entared 
m 


(p 
U) 
= 
rey) 
a 
Qu 


commands, programs, and fil any other syste 


d 
Unique to the particular user s3assion (€.3g., general reg 
ters, memory bounds, MeCattSem oe We =etial Tenory. tba ble) 
{Ref. 293 pe. 166}. The logs 


eae. Of System activity and tt) assist in the investigation 


are used £9 provide an audit 


of recorded security violations. 

Mialyzing and reporting of security-related events is a 
Seert responsibility of the surveillance software counter- 
measure and the ADP Sacurity DJfFFicer. The countermeasur? is 
Mommeliy designed to naintain statistics on security-related 


events and to prepar2 standardize reports on such events, 


> 





while it is the ADP Security Jfficer that interprets these 
Meoaucts and takes appropriats astions to correct the docu- 
mented vulnerabilities. Zt LS intended that a sumveillance 
counteftmeasure wiil act as an effective psychological deter- 
rent to the user who night otherwise consijier abusing his or 


her privileges. 


Dee LNTEGRI TY 


Mrcegrity 2S the yuality of protection that assures that 
the ADP system works in a cohesive and predictable manner 
Meee ad’ess ch the operating coniitions, that technical co 
termeasures are effective i1 maintaining the d 2 
Security level, ani that th ADP system is adequatzel 
Meecrected from the ossurrence aid impact of errors [Ref. 31 
pp. foi? |. Courtermeasures for enforcing a system 
meeeqrity policy include controls for the internal (hardware 
and software) system, processiijg, and system errors. The 
technical counterm2asures presented in the Olle. 1G 
sections have been synopsized from Refs. 29, 32 and 33. The 
Meeting is by ro means exhaustive, EAener a. '-repesen~s 
industry's judgement of the most effective countermeasures 
for today's hardware and software. These countermeasures 
are no« usually identified axplicitly as security mechan- 


» 


isms, but are often present for assuring a high degr2e of 


fi 
system reliability. 


1, Internal System Contra 


I+ 
bul 


In today's multiprogramning and nultiprocessing ADP 


systems, many US2=ES are CIORSCULEFEeRtLy Sharing system 


(D 


resources (memory, CPU, and I/9 devices) aad programs. dba 


fu 


multiplexing of thes= elements among many users has cr2ate 
aneed <to isolate (self-prot2rzt) user pregrams from on 


2 
another, the systen software, and the other system 
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resources. This isolation 2£ elements is achitvei by 
implementing various technical countermeasures that provide 
Moe Main memory protection, iual execution states, and 


fee cual machine monitors. 
aeue aan Menoby Protest ron 


Nan eI E yeep EoeeseZONeCOLnCSrGs the abilzty zo 
Protect partitions 26 portions of main memory from unwar- 
Tanted access by us2r pcrograns. Main aemory is usually 
divided into mutually exclusive 2reas that are managed by 
the system software. The syst21 software loads these areas 
With aS many user programs as san be efficiently serviced. 
In previous generations, Eas Neale’ DrEiaging in a “use 


Peogrtam, executing it for a peciod of time, suspending its 


oh 


execution, and loading in anothzir user program. This swap 
Pence continued usually via a cound robin servicing sshem 
Motil the user progran had finished execution. This =Vsene 


longer judged as an 2fficient uss of main a2mory. 


TouOVvercoa@e thisein2eftficiency, a new architec- 
ture develored which supports 3 virtual aemory capability. 
Mitwempottant characteristic 29f a2 virtual memory architec~ 
eee 1S that the address space of a user progran is 
Meresttoned into a set sf inispendently allocated urits, 
some of which are nain memory resident during orogram execu- 
tion, and some of which are not. With chis new approach, 


the system softwar2 loads only units needea for execution, 
hence a greater numbar of users can be s2r 
Meege is more effisient. [Ref. 32: pp. 32-3 

When the ADP syst2n does not ‘ae Gone 
Sharing of system resdurc2s ofr processes by mu 

the traditional main memory protection countermeasures 
base and bound registars or locks ard keys are suffi 
enforce an OMiaeMOn POlzcy. 42mory bas2 and bou 


is 
ters are sst by th2 system software to specify 
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upper and lower anain memory addresses for the currently 
Meecuting process. Any attempt by the process to fetch from 
Or store +o0an address outsid=? these bounds generates an 
interrrupt to the system softw2c2. When a different process 
is brought in, ‘the dase and bound registers are changed to 
describe the new proctass' memory area. A Lock and key coun- 


termeasur2= is implemented by narking each location in main 


©) 


memory with a lock and ¢ach program with 32 key. When the 


ct 


G lame mnenory fos execution, the 


Ja 


user program is brought in 
system software conpares the key with the locks and unlocks 
oniy those areas matched by th2 program's key. Each fetch 
and store is automatically examined by the ardware to 
@enmtitm that the key and lock watch. 

When the ADP syst2n permits resource sharing, 
these traditional countermeasures are not adequate bet2use 
mmey dilow programs with different protection attributes to 
concurrently access the Same ar2a of main memory. Ref. 29 
recommends a solution to this problem that incorporat2s the 
protection attribut2s and siz2 contraints in the address 
Beensilation table. This table is used by tha system soft- 
ware to map the virtual address2s of a usér program into the 
physical addresses nesedej in niin memory. Rei. 29 chem Ops 
108-114] 
de 


at 


Some aiditional couitermeasuras that are ne 


(D 


fu 
ae 


to protect ADP systems which process sensitive business 


are as follows. 


® Ability to scrub (zero out} residue froma main and ¢sscon- 
fe) fo) 


dary memory before reallocation ther user process 
e A memory write protection feature that prevents one 
Peogram from overariting another. Any attempt to write 


generates a systen interrupt. 
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Oe Dual EBxacution Stat2s 


ireomedialmec-etecoa States of “privileged and 
nonprivileged allow the =°PU to maintain the two execution 
domeins of supervisor and user. The system software 
executes in the sup2rvisor donain, thus it is permitte 
immediate access to all systen resources, including the 
ability to execute privileged CPU and I/O instructions. On 
the other hand, th2 usar's process exetutes in the user 
domain and any attempts t> exesutée a privileged instruction 
MeeautOmatically trapped by the CPU. Basically, this action 
generates an interruot which signals the CPU to change to 
the privileged stat= ani allows the system software to 
execute the instruction on behalf of the user process. This 
countermeasure is available on almost all current ADP 


systems. 
om Vural Machine Monitors 


The implenentation of virtual machine monitors 
meeews Gath user program t¢9 have its own virtual machine 
uniquely configurei for its neeis. Talon ves eal anl n MO Mawes was 
Bemerdered <> be a Functionally complete machine with its 
OWMn virtual CPU, menory, I/)3 channels, jievices, and any 
other virtual resourc2s tequest2i. Peron my Chama ted 


Cc 
Mmeomexecuts a user program is th2 physical [PU. The vhysical 


CPU is allocated between virtual monitors, working a4 
Peeeeric amount of time for 2each virtual TIPU according to 2 
specified strategy. This allows for the time-multiplexing 


Ome each virtual nonitor on the actual hardware and the 
dynamic reconfiguration of th2 systém to satisfy the needs 
Beee USSr progran. Since each user process is contained in 
Meepecitically configured virtual environneant, any attempt 
to access a systen resource sutside that environment auto- 


Maticaily generates 2 system interrupt. Therefore virtual 


“J 
\O 





() 
(‘Dp 
}— 
th 


Mmehane monitors aiso sontridbute +o an isolation /({ 


Bmeocrection) security policy. 


Peo PEOcesSing Controls 


Processing controls arf2 mainly linited ‘*o adminis- 
trative countermeasures Sea as Swvand ala Operating 
procedures and software engina2ring practices that indi- 
rectly protect the ADP system and enhance the effectiveness 
Of the technical csounrtermbasur2s. Some of the controls that 


should be considered as possibl= candidates are as follows. 


SeosetsS should be restrictel to. Sbedranming only 1: 
higher-level languages. 

e Modifications to system and application software should 
be implemented by a twor-p2rsan control strategy. Two 
persons must sign off on all changes t2 the syst*em sott- 


ware before th2 changes ar2= made in the operational 


version. 
e A Configuration Management Plan which addtesses software 
development and Maintéenancs procedures Should be 


implemented. 

e A Contingency Pian which ds 
G€ures for responiing to a2bnsrm 
should be established, pablis 


meectcd. 


eee yscem Error controls 


2S SS > <P ee ee ee ==> que Guapo «ae oe 


System errors, eulsomel bed fami ss.  resu 
degraded or unknown oerformancse level and can be caused by 
hardware malfunctions, softwar2 2rrors, or opera 
Hardware malfunctions are caus2i by such things as the CPU, 
memery parity, 1 /OmenceLliaG= = and econmunica tion  Line,. or 
power failure. SOrtwWalL=- —LEOLS aeou concerned with. both 


Operating and application systems deficiencies andi ars 
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meerabuted to incomplate design specifications and/or imole- 
mentation. And lastly, operator errors result from either 
badiy defined operating procedures or sinple human 3rror. 
fRef. 33:3 pp. 104-105] 

In developing counternzasures to protect against 
these three types of errors, the designer must consider 
error prevention, jetection ani recovery. Errer prevention 
is usually satisfiei by providing sufficient redundancy so 
that 2 component failure does not degrade voerformancé. 
Errer detection requires tha ADP system to be capable of 


recognizing potential hardwars and software maifunctions 


WD 
WY 
ct 
O 


befcre the entire system aalts. EB2EOr EScovery rela= 
@eneanuation of system functions after an 2rror has occured. 
Recovery can be affected at saveral levels, depending u 
the severity and impact of ths error. For example, if an 
error could crash th2 system, ta recovery would be a 5 


file, the recovery would ent 


+ 
Bestalts; Or 1f a program attenpted to read past the enji-of- 
law. “e2notemessaqce. “<5 
S| 


Sel. some counterneasires at have been suggests 
Mereoll] (Ref. 20: pp. 265-287} and IRW Systems, fiir 
£ 
a 


eer. 332 pp. 129-173 ] as effective in counteracting systen 


e hierarchically designei fault-tolerant ADP systems 

e redundancy of hardware and software components 

Seanmtomatic backup hardware switchover 

Mumeeeerster Sf critical systen functions from software to 
firmware or hardware 

Mea ynemic checking 29f the system's operating state with 
MEEEops Late Tecoveary astions specified should an illegal 
state be detected 

Meee rpability for logical consistency checks (S.g., Simulta- 
hicus interrupt pr2vention, device address and existence 


check, and time check on propagation of signals between 


oa 





devices) WiEeCh aU DppOPTaat]e FeCOVELY actions initiated 
should an inconsistency be realized 

capability for selactive tscmination, graceful degrada- 
mon, aAUtONatic cnitiation of diagnostics, and graded 
(warm/cold) restarts 

memory parity and address validation 

replication of critical systam Files intluding data bases 
and audit logs 

employment of datz integrity controls such 43 
Zor reasonableness, szonsistancy, and range, use of 
checksum totals aad parity during data transfers, and 
Maintenance of a transaction journal 

m'Ming and sequense checks oSrtinent to I/O operations 


(e.g., I/O instruction execution and I/0 transmission) 
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V. RECOMMENDATIONS 


Ae. RECOMMENDED SPLICE FUNCTIONAL SECURITY MODULE 


This section provides recommended design specifications 
for a software Security Yodula to be incorporated into the 
funceiloOnal design of the SPLITE Local Area Network (LAN). 
The specifications acre based upon the assumption that all 
data handled within the SPLICE LANs will be classified no 
higher than SensSitiv2 Business Data. The design specifica- 
mi10ns recommended i2 this section satisfy the protection 
requirements set forth in Refs. 10 and 11. 

As discussed earlier, a conolex data processing envizron- 
ment like SPLICE is usually protected by enforcing the four 
Pepe security policies of auth2antication, access control, 
Paeveitllance, and integrity. The SPLICE Security Module has 
been designed as a collection of submodules, with a recon- 
mended software subnodule [52 each policy area 2xcept 
mocegrity. The integrity requirements of SPLICE have 
already been addressei in Ref. 13 and, if implemented, will 
be adequate. The integrity requirements address such things 
as memory protection features, change control proceducss, 
Memory Parity, data integrity cantrols, and system consis- 
tTENCcy ene cks. The recommended Seciricy Meduls is 
Specifically tailorei to satisfy the security requirements 
of the SPLICE LAN and should not be construed as bein 
em@ensed for all sash e2vironnents. The terms usei ¢t 
describe the Security Module ani its interactions with the 
other functional modules of th2 SPLICE LAN have been taken 

rom Ref. 34. 
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ie Mw EUnet ons Of Uh 


(D 


SPEEGE =’ Secuiriey Module are as 


follows: 


Authentication of the user when accessing the SPLICE 
Contiguimation. 

Authentication of terminals and peripheral devices when 
requesting or performing a service. 

Maintenance of an access control mechanism which enforces 
the access rights as prescrinved for subjects and objects 
of the local SPLICE Configuration and validates requests 
for access to the SPLICE LAN and the Defence Data 
Network. 

Maintenance of an online security auditing mechanism that 
logs appropriate security rel2ted infornation required +o 


Support subsequent analysis efforts. 


fee Aut hen ticat.on 


ep eee om 29 2] a ae eee ae SRB ow Sw = 


ia ©rdéseyto enf orcs an seUthenticatiorn policy, 


authorized use of SPLICE resources must be controlled by 


both an administrative and a software ccuntermeasure. The 
administrative countermeasurs reguires that each user and 
device be uniguely identifiable within tha SPLICE LAN. The 
sortware countermeasuce nécessitates the design of software 
Submodules which function to identify users, terminals, and 
peripherals. 

Chapter IV ce in detail numerous mechanisms 
Memsldsered erfective in protecting a password authentication 
countermeasure. Tt is recomnenied that those mechanisas be 
evaluated for their agplicability to the detailed design of 


the authentication submodule. 
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aie AUtlentacac On SE Terminals and Users 


The sOttware Submodule Eor authenticating tsrtmi- 
nais and users shouli be invoked by the Front End Processor 
(FEP) Module when the user initially attempts +o log on to 
fee local SPLICE Configuration (iocal system). he 2s 
assumed that the FEP Module can recognize when a user is 
feaggang On to the local system and that it can invoke tke 
submodule when appropriate. 


The. termi nead*sidsntaty should be checked by 


requiring the terminal to transmit a security cod2 in 
response to an interrogation command. The code is then 
Matched against a table of authorized terminal security 


codes. ine avlcacen es SCURG, ytnu> Logon prscedurs continues. 


ey 


Otherwise, the security auditing submodule (to be addres 
Maes) is invoked ani appropriate actions for Fee ee =O 


a security violation are taken. After the terminal's iden- 


Sisco sm Hien tcecace On RUunNbee 


ae 


macy 2S verified, t 


" 


password are checked in a2 Similar manner. Ee a Snatch 
Bound, the Logon procedure 15 completed and control passed 
back to the FEP Mojiul=2. If nd match is found, zhe security 


ieee’ ngd submodule is invoksd as before and control i 


0) 


Pessed back to the FEP Module after appropriate actions have 
been taken. 

hee aS creconmeni2i that the authentication 
submodule fcr terminals and users be located in th2 same 
physical machine 23s the FEP Module for each local system. 
This recommendation is based on the nesad to restrict a2 
hnonverified terminal and user to as little of the local 
system as feasible. This subnodulée will only be invoked 
when a user (local, remote or satellite) initially logs on 


to the local systen. 
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b. Authentication of Peripherals 


THememer-O clewesene Submodule for verigtying the 
identity of a peripheacal device has not been examined due to 
the iack of detailed design sp2acifications concerning how 
the Peripheral Manajement (PM) Module interacts with the 
local systen. Once the design has been completed, itis 
recommended that the countermeasures presented in Chapter IV 


Section A.2 be review2d for thsir applicability. 


2. Access Control 


Ps 


ct 
wa 
(D 

rx 
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ro 
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th 


After the user's idantity is vari 


‘d 


iD 
tf 
3 
- 
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Module forwards all subsequent iser messages to the 


ju 
UV} 
wr 
bas 4 


= ie 
Management (TM) Mion le. sea EM Module.-respo 
requesting that the Session Services (SS) Module és 
and maintain a user session. After a session ha 
established, the SS Module #xamines each user request 
invokes the appropriate generalized functional module nee 
for accomplishing the task requested. It is reconmen 
that the SS Module Lavoke the access control submoduie t 
mega =e the user's authorization rights before it invokes 
meyeecchn=ir functional nodule on behalf of the user. 

The access sontrol suodmoduie should perform two 
fympes Of authorization control. LLuSstoe lt une “ser ask 
requests access to the SPLICE LAN or the Defense Data 
Network, the access control subnodule should ensure that the 
user has been authorized such an access. [he second type of 
@erperol involves granting or denying a user (either local, 
Bemoz~e or sateliits) access t9 3 local system object such as 
eerole, directory, or periphzral device to perform some 
Beeson Sich as read, write or execute on that particular 
object. Mme neCusse guest, 85 )'RS.-aliowed, the security 
auditing submodule is invoked and appropriate action is 


taken. 
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The design of the access control submodule should be 
based on the authority item technique presanted in Ref. 25% 
This design specification reduces the time required to grant 
auser authcrization request and allows authority itens to 
be easily modified when changes are made to the authoriza- 
tion rights of a user (subject or the access capabilities 
fenan object. The implementation of this countermeasure 
requires that the authorization rights of users and access 
Capabilities of objects b2 explicitly defined and maintained 
online for use by the access control submodule. nee aS 
reccommended that th2 access coatrol submodule be colocated 
with the SS Module to minimize the time required to validate 


Peeser'’s euthorizatioa. 


Se. sur veiliar 


od 


tQ 


ct 
( 
(p 


In order ReOre=sn. MOUEVeli anes | pOLlCy, pir ees 


Q 


recemmended that a s2curi: 


(V 


atte teg Submedul= be incorzp 


qt 
< 


a= 
Maeca in the design of the SPLICE Security Moduie. No 
particular location for this subnodule is recommended, 2s it 
Beugid be a candidats for rslocatin EEOn One  phys@ca i 


machine to another 2S necessary to improve the overall 


Pemrormance of th SPLICE Configuration. This submodule 
Mime pe Invoxed by the TH Module, the SS Module, th2 PM 


Module, and any othar module which can recognize a security 


Violation or system 2rror. The 


ey) 
se 


proprizts 


Supmodule to take whan invokad 


{Vv 
$ 


notify the central system operator that an 


> 
is severe 


a 

re to iog the event, to 
> 
a 


more nes occurred, and if the arror or viol n 
terminated. 


enough, the user's log-on or s2ssion should be 
by ents Suomodure 


The security-related tnformatis2 rcecorded 


Should include at 4a minimun thes following. 


e A system e2ccess log which identifies who accessed the 


re 


"y 


system, what terminal the access was made from, whethe 


7 





the access attempt was successful, and the date and «ime 
POC CUr Ged . 

e An input/output iosg which identifies who requested «he 
service, what function (read, write, enter, print) was 
provided, whether the function was successful, and the 
date and time it occurred. 

Mure SOCeSSing log whish resords appropriate s¢ecurity- 
memated information about system errors and security 


wo dations. 


Be. OTHER RECOMMENDED SPLICE SECURITY MEASURES 


It is récommendei that NAVSUPINST 5519.6A be revised and 
reissued to accomodac2 the mininum mandatory countermeasures 
listed in Appendix J of Ref. 10, which was issued subséeguent 
to NAVSUPINST 5510.6A. This would allow the mandatory coun- 
termeasures to be included by reference in the next version 
mmmene SPLICE Security and Risk Analysis Plan [Ref. 11]. 

The "SPLICE unbralla’® contains many software oroducts 
which are being d2avaloped by Cantral Design Activities for 
Steere a bution to multiple activities. It is recommended «hat 
f@emorLlCh Froject Orficer insar2 that each software product 
Meme-er li2ed in accordance with OPNAVINST 5239.1A pridr to 
feserabution f Ref. 10: p. 3-1}. 

fae cne design of softwares products, the software 
MemerOis listed in appendix I 3f Ref. 10 must be incsorpo- 
ma ed. It saould also be notei *hat contractor developed 
software and countermeasures are also subject to the 
requirements of Ref. 10. 

It 1s recommeded that the following actions be taken to 
Meeepeeinsure thet the risk in SPLICE is quantified and 
managed at an acceptable level. 


e A Network ADP Sscurity Officer should be designated early 


te 
moeche lifecycle 9 the SPLICE Prcject. Tie 2 odav aduad. 
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so designated should be giv2n a position high enough in 
Mem erojyect  Olbgehizatzon ani appropriate authority and 
resources to maaajy2 the SPLIZTE Risk Analysis Program and 
effect the necessary design changes and opérational 
requirements. 

e The Network ADP Security Officer should develop and nain- 
tain a comprehensive checklist of threats which are 
Petentially present at any SPLICE activity. The reader 
Mmemanvited to r=visew the works of Martin (1973), NBS FIPS 
Seer o74), Ret. 2), and Ret. 22 Eor recommended lists of 
threats. The chacklist sasuld be made available to 
activity risk analysis teams. 

e The Network ADP Sacurity Jfficer shouli be given cogni- 
Beaicemer all activity seeurity incident repori~s [ Ref. 10: 
Bee 6-2] in ordsr £0 identify and monitor vulnerabilities 
merece DOtentaally Sxist in th® SPLICE Network. 

e A risk management training orogram should be established 
to provide a SOnSslTSstent Risk Management Program 
mimoughout the SPLICE Network. feast t se SSpOnsit pad: — 


memcs fOr ADP security traini2zg is provided in Chapte= 10 


Se Ref. 10. 
e The appropriate Inspector S2neral review program for 
pyeny SPLICE activity should incorporate a security 


mev'ew, as defiaed in OPNAVINST 5239.1A [Ref. 10: 0p. 
8-1]. 
Se FUTURE RESEARCH QUESTIONS 
1. Validation of Security fodule Specifications 


This thesis provides a formal program for risk 


management, but does aot attenpt to quantify the risk in any 


Meeticular activity. Rdajvtiona i peseonce *showld be accon- 
plished in at least one of s33veral ways. Pe cao 2 On 
Becrating can be estimated by simulating a “typical SPLICE 
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Meceavity." This would raguire complete enumeration of all 
assets in the seven resource categories, and a listing of 
meee "potential™ threats racing 23 SPLICE activity. 

Another research methsi would be to examine an 
existing Navy activity that is d2signated to become a SPLICE 
Mieeavity. By evaluating the changes in the data processing 
Environment due to the SPLICE sonfiguration, their impact on 
Mice ADP S@cUrity posture of the activity can be proparly 
examined. 

By uSing one of these research methods, the recon- 
mended Security Functional Moiul? can be validated and, if 
needed, 2dditional rcountermeasares can be specified for in 
fmme, design of the SPLICE software or implemented at the 
operational SPLICE activities. 


2. Critique of Risk | 
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The Risk Managenent Program models presented in 
Chapter 3 formalize «he concepts proposed by Courtne 
macewe ot, NBS FREE. 17], and Fitzgerald [Ref. 19], and 
adopted by the Navy in the DON ADP Security Program 
meer. 10 j. Although the mod2ls presentei here reflect the 
established concepts »f tae various references, no attempt 
has been made to analyze the validity of the concepts. 

Both the Asset Loss Determination Model and the 
Threat and Vulnerability Evaluation Model are essentially 
exporential utility functions, which exhibit decreasing 
Marginal utility. ait Eespo2ce =O asset losses, vas 


mmpetes that an asset loss of $1,900 with a total asset loss 


Bevel of $10,000 is a0t as Sigilificart as an asset loss of 
$1,000 when the asset loss level is at 3100,000. A Simple 
guestion arises in this reasoning. To a computer system 


arvice less impor- 


) 


Meee 1S the tenth day of ddinjg without 
mant than the first or second? Likewise, is losing the use 


Mia cape drive less significaat if you have already lost 
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five tape drives thaa it is wh21 you have lost none? There 


may exist an argumant that th marginal utility skould 


a 


In threat ani vulnerability evaluation, less signi- 
ficance is Similarly placed on narginal risk as the activity 
becomes more vulnerable cor mor2 threats aré present. Is the 
Meek Of a fourth or fifth attazk not as significant as the 
mecond or third? 

Finally, the Navy's risk management de 
problem should be more fully nodeled. SUEreMely ex 
constraints are plated on the activity nanager by ths DAA 
Who setS 2 maximum atceptable Total ALE. Although not docu 
mented in the Navy progran, the setting of *he maximum 
Seeeprable Total ALE is don2 by use of the DAA's utility 
einction. GSrrainlyetnise ChoLce 1S imeadevin digit of <o 
investment alternatives, and with regard t9 the Navy system 


of incentives, rewaris, and penalties. 
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ADPSO 


ADPSSO 


ALE 


ARPANET 


Cis) 
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GAO 
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APPENDIX A 


Bist eo pene nONt is 


Automatic Data Processing (See EDP) 


AMcons tse Data Processing Secure y 
re ies s 
Altomatic Data Peosessang System 


S=2 Curt ty wrt ices 
Annual Loss Expectancy 


Advanced Research Projects Agency 


Natwork 

Sentral Processing Unit 
evelzeadal Readundency Check 
satnoie Ray Lupe 


Designated Approving Aathority 


tt, 


Detense Data Network 
Oe oescanl Seopa! ae mulane Mer syes-l eo mane! 


Federal Information Processing Standard 


(National Bisseau of Standards) 
Se neral AcecoUuUr emg Orftice 
Taput/output 

Leectinet. PLOCOCOL 

byte Eaet Pea vyate Line fmtertace 


Local Computer Network 


a2 





MC 


NBS 


OMB 


See LiCcr 


ST&xr 


TASO 


ey 


VMM 


Mend wom s 1 ob 

National Bureau of Standards 
Net WOb ke ceecwrs ty Officer 

JF fice of Management and Budget 


5b COCK Pigann t Logistics Integrated 


TFommunicatioans Environaent 
Sacurity Test and Evaluation 
foci tai Woes security OfLil cer 
Fearn si Ss om eon so boProroco | 


Virtual Machine Monitor 
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The majority of the definitions contained herein are 
taken from the Department of the Navy Automatic Data 
Processing Security Program Manual, JON AV ENS “523,902 
(Ref. 10]. AJ aG- riot eonomnse —er rom OONAVINS® S239.1A are 


referenced. 


REGEPTABLE LEVEL OF RISK. A judicious and carefully consid- 
erecd assessment by the approoriate Designatei Approving 
pemority (DAA) that an autonatic data processin (ADP) 
activity or network msets the minimum requirements of apvpli- 
@Saore Security direstives ani th? provisions of OPNAVINST 
eo. lA. The assessnent shouli take ints account the value 
of ADP assets; threats and vuln2rabilities; countermeasures 
meeethneir efficacy i1 compensating for vulnerabilities; and 


operational requirements. 


HeECESS. The ability and the means to approach, communicate 
peeere(2nput to or ras>eivs output from), or otherwist make 
use of any material or component in an ADP sys<em 

Personnel only receiving computer output products fron the 


ADP system and not eee tO (On TOtRSCEWNASe. Luterecain 


Watch the system (1.@, no “hanois on" or other direct 

Or inguiry capability) are not tonsidered to have ADP syste 

MeGess and are accordingly ast subject to che personnel 
security requirements of OPNAVINST 5239.13. Sieh. “Seo 
products, however, shall either be reviewed prior to dissen- 
ination or otherwise jietermined to be properly identified as 
MoemecoOncent and classification. ‘Ref. 35} 
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mecEtSo AULH ORIZATION. PessSworl and/or user id required to 
meet security restrictiors for the resource being accessed. 
Mrert. 13] 


ACCREDITATION. A policy decision by the responsible DAA 


resulting ina formal declaration that appropriate security 


countermeasures have been properly implemented for the ADP 
Mecivity Or network, so that the activity or etwork is 
Operating at 2n accsotable level of risk. The accredita+ion 


Seuid state the moda of operation and any operating linita- 


Peers applicable to the ADP activity or network. 


ADMINISTRATIVE SECURITY. Th2 management constraints; opera- 
Mmmomal, aiminictrative, ard accountability procedures; and 
Supplemental controls eéstablish2d to provide an acceptable 
Maelo protection for data. Synonymous with procedural 


security. [Ref. 36] 


ADP ACTIVITY. hiey ObManiZzecious | eEhtity With responsi baii= 
ties for developing, 2 perating, or maintaining an ADP system 
Seeretwork. 

aoe SECURITY. Meaasires reguiced to nrotact against unau- 
meorized (accidental Or IA tent Lona.) d =sclosun=, 
modification, or destruction of ADP systems and data, and 
Bemea!l Of Service tt) process dat APOS sSeecutlty includes 
consideration of all hkardware/software functions, char2cter- 
met cs, and/or Features; operational procedures, 
meeeuntabilit Procei ures, a242 accéss co 


Semesca!l coOmpuver rasility, remste computer = 
mento leS; Management constraints; physical struczures a: 
Meveces; ard personi2el and comnunication sonatr 
provide an acceptaodl= level of risk for the A 

Y 


meme the date or infornation contained in the s 


oh, 


MOPS SECURITY STAFF. Individuals issigned and functicning as 
Meson Officials for ADP security within their respective 


@eganization: 


ADP security Oricon (soe). 

ADP Systems Security Jrficec (ADPSSO) 

Network Security eee) 

Germinal Area Security OFELSer (TASO) 

eros, Ins Ormatisn System Security Officer (OfSS0) 
ADP SYSTEM. An assembly of conputer equipment, facilities, 
personnel, SOftwars, and procedures configured for the 
pme=posce of classifying, Sone yd tee cal CUulIci ng, compurcing, 


Peritcde22ang, StOringj end retrieving data and information 
with a minimum of Aidman intervention. An ADP system as 
defined for purposes of OPNAVINST 5239.1A is the totality of 
automatic data processing equipnent (ADPE) and includes: 

a. General and special purpos2 computers (€.g., digital, 
anaiog, or hybrid conputer equipm=2nt) ; 

b. Commercially available conpoaents, those produced as 32 
result of research and devalopment, and the equivalent 
systems created from them, regacdless of size, capacity, or 
price, Which are utilized in the creation, GOLISS2 gon, 
[eenage, DCOCESSINJ, communication, display, or diss2nina- 
meen Of data; 

G Auxiliary or accassorial equipment, such as data conmnnu- 
Beca-2Ons terminals, sdurce Gata automation recording 
equipment (4g., OOLaCalwenatacr et = recogritlon equipment 

paper tape typewriters, magnetics tape cartridges typewriters, 


and other data acquisition devices), data output equipmen’ 


ct 


Segemeeaagitel plottars and conodbuter output microfilmérs), 
meee cO be used in suppert sf digital, analoc, or hybria 
Sempucer equipment, 2ither cable-connected, wite-connected, 
Oz self-standing; 

Same Lectrical accounting machines used in conjunction with 


Sa scndependentiy of iigital, analog or hybrid computers; and 
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e. Computer equipment which supports or is integral <*o a 


weapons system. [Ref. 35] 


ANNUAL LOSS EXPENTANCY (ALE). The ALE of an ADP system or 
activity is the expested yearly dollar value loss fron the 


harm to the system or activity by attacks agains+ its 


assets. 
ASSET. Any softwars, data, hardware, administrative, phys- 
tea, cOMmmunicatins, or personnel resource within an ADP 


system or activity. See ADP RESOURCES. 


BETmGk. Yhe realization 9£— a threat. How often a threat is 
Beans Zed cépends on such factors as the location, type, and 
value of information being processed. Thus, short of moving 
Mime system or facility or radically changing its mission, 
mgere 315 usually no way that tie level of protection can 
eeeeect the frequency of attack. The exceptions to this are 


certain human threats where affective security measures can 


Maeve a deterrent effect. The fact that an attack is made 
does not necesSarily nean that it will succeed. The degqres 
of success devends on the vu 


lnerability of the system or 
x 


W" 
Ul 
'w) 
ih 
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activity and the efrfsctivense 


t 


AUDIT. To. conduct ths independent review and examination of 


System records and astivities i:1 order +o test for adequacy 
mpl 


Sreoystem controls, to #nsur2e cod lance with established 
Wemecy and operational procedires, and to recommend any 
agndicated changes in sontrols, policy, or procedures. 

Seeeeincernal Security Audit. An audit conducted by 
personnel responsibla +o the nanagement of the orgainzazion 


peing audited. 


Pemeexternal Security Audit. Atmemeud:t conducted by an 
Organization independent of the one being auditce 
{Ref. 36] 





BROWSING. The act of searching through storage to locat:2 or 
acquire information w#ithout necessarily knowing the 2xis- 


tence or the format of the information being sought. 


CENTRAL COMPUTER FACILITY. One OF more computers with their 
peripheral and storag2 units, central processing units, ard 
communications eguipneant in a single controlled area. This 
Mees not inciude remote computer facilities, periphsral 
devices, or terminais which ar2 located sutside the single 
controlled area, even though they are connected to the 
central computer facility by aoproved communication links. 
meet. 37] | 


CENTRAL SYSTEM OPERATOR. A system user who by virtue of 
Security access control authorization has access to the user 
mode and the central system operator moi2 of the connand 


interpreter. [{Ref. 13 } 


COMMUNICATICNS SECURITY. TREMP EOTeCt Ion EesSuiting =rom ali 
measures designed +29 deny unauthorized persons information 


of value which might be derivad from the possession and 


study of teleccmmunications, Sr to mesisad unauthorized 
Bemeeens in their iaterpretatids1 of the results of such 
possesion and study. ASO” c2lied "CONS 2c. Communications 
Peewetey isncludes cry ptosecurity, *ransaission security, 


Pies owen SECUrItyY, and physical security cf cemmunicat: 
OL 


i 
O 
= 
‘n 


Seeussty materials ani in 


CONFIGURATION MANASEBEYENT. The use cf procedures appropriate 
for controlling changes to a2 system's hardware and software 
peeeue cure for the purpose of insuring that such changes will 


not lead to decreasei data security. 


CONTINGENCY PLANS. A plan £52 3mergency response, backup 
operaticns, and post-disasteér recovery maintained by an ADP 


activity as a part of its security progran. aA comprehensive 
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consistent statement of all the actions (plan) to be taken 
before, during, and after a disaster (emergency condition), 
along with documented, tested procedures which, if followed, 
will ensure the avallability of critical ADP resources and 
which will facilitat® maintaining the contimuity of opera- 


tions in an emergency Situation. 
COUNTERMEASURE. See section II.A.4. 


DATA INTEGRITY. The state that exists when computerized 
data is the same as that in tha source documents and has net 
Beene exposed to accidental or intentional modification, 


Seeoclostre, or destriction. {R2f. 36] 


DATA LEVEL. 

evel £. Classified jata. 

eeveli Il. Unclassified data ceaguiri 
ie 


Gesvectal Paoteoe en, 


an ect 
femme xample, Privacy Act, For Jfficiel Usa Only, technical 
documents restricted to limited distribution. 


Level III. All other unclassified data. 


DATA SECURITY. Di-«psOlLeCetiloa Of idata’ £20 
(accidental or intentional) NOiificaiton, desitr 


disclosure. [Ref. 35] 


DESIGNATED APPROVING AUTHORITY (DAA). An O£Ticial ass: gred 
responsibility to accredit ADP elements, activities, and 


BerwOrKS Under the official's jurisdiction. 


moecORT (S). Duly iesignated parsonnel whos have appropriate 
Clearances ard access authorizations for the material 
contained in the system and arc2 sufficiently knowledgeable 
to understan Euemso-cUhecyetuDlecatltons, Sf end “to conse! 
mmeomactivities and actess o£ the individual being escorted. 
ket. 37) 
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HARDWARE SECURITY. SOMputer equipment features cr devices 
used in an ADP system to precluie unauthorized accidental or 
mee neiOnal modification, disclosure, or destruction of ADP 


moocurCcesS. 


MATERIAL. MMaterial" refers t> data procassed, stored, oor 
used in and information generated by an ADP system regard- 
Mees) Of LOrm or medium, e.g., programs, reports, data sets 


or files, records, ani data elanents. [Ref. 35] 


NEED-TO-KNOW The necessity for access +9, knowledge of, or 
BeisscesS* On Of certain information required to carry out 
Sromczal duties. f2Ssponsibility for determining whether a 
person's duties require that possession of or access to such 
infcormation and whether the individual is authorizei to 
receive it rests upon the individual having current posses- 
Seem, Knowledge, OF control 3£ the information involved and 


Not upon the prospective recipiant(s). 


NETWORK. ic Ist SOnle cone e et wou Or more mw ADP central 
computer facilities that provides for the tran 

Siertnag of ADP resources. ives ADP Tet noe k sCONnSLStS 93 
Senytre! computer factilities, tha remote terminals, the 
mireerconhecting communication liaks, ioe prone’ =end pEsces= 


Pees, ard the teleconmunications systems. 


OPERATING SYSTEM (9/5). An intzejrated collaction of service 
routines for supervising the sequencing and processing of 
programs by a comput2]rc. IJperating systems control the alio- 
Sasson Of CTesources £2 a user and their programs and play a 
central role in ensuring the secure cperation of a@ computer 
system. Operating systems may perform debugging, pie = 
output, ace OU ee CG; Pacource “alkocation, CONDisas on, 
storage assignment tasks, and other "system" related func- 
E-ors. Synonymous With terms such as "Ont. Obs 


Beeccaesve," "Control Program," and "Supervisor." {[Ref. 35] 
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PASSWORD. AeeeosewesteCdsworageot String Sf “character 
identifies cr authenticates a user for access to @ specific 


mesouTrce Such as a data set, file, or record. 


PERSONAL DATA. Data aboiut an individual including, but not 
Mem2cted to, education, Piteictal, transactions, medical 
m=esOry, qualifications, servirte data, criminal or enploy- 


Heme n2story which ties the data to the individual's name, 


Om an identifying number, synbol, Siw oerer- “i1dentirysng 
particular assigned t> ths individual, such as a fing2r or 
Memee print or a photograph. 


(D 


PERSONNEL SECURITY. The procedures estabiished to ensure 
h 


that each individual ba csk¢metndmeenaeh 2ndicatsse a 


nM) 
W 


Wevyel of assurance of aa Srthiness which is commensurate 
9 


stw 
Meet n= Value of ADP resources which the individual will be 


able to access. 


BoaeorCAL SECORITY. AVS2 Cals octet ye ts time (pro -ect .on: ora 


P 
Material entity (property) Soon “GlSrapterea --Of 22S Sef] and 
secure state and is concerned with physical measures 
Gesigned to safeguard personnel, to prevent cunauthorized 
access to equipment, facilities, material, and documents, 
and to safeguard then against espionage, sabotadqe, damage, 


era thert. 


ey) 
N 


m@emmetne Use of locks, badges, an IMac 

control access to ths central computer facility. 

Meee in] Measures raqiaired for the protection of the stru 
EQ i aca 


O m 
Virommental hazards, loss of utilities, 


q 
Meese nouSsing the ceantral computer facility £ 
eecewaent, fire, 2n 

E 


ema Unauthorized access. 

REVIEW AND APPROVAL. The orocess whereby information 
Mmereeaining to the sssurity anid integrity 2f an ADP activity 
or network is collested, anaiyzed, and submitted +o the 
appropriate DAA for accreditation See che “ACriveey" -“O7 
hetwork. 
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RESOURCE-SHARING COMPUTER SYSTEM. A computer system which 
uses its resources, including input/output (I/0) devices, 
Pmorage, central prdcessor (siithmetic and logic units), 
@enctrol units, and software oprocessing capabilities, tO 
enable one cr more users to manipulate data and to process 
co-resident prograns in an apparently sSimultan2ous manner. 
The term includes systems with one or more capabilities 
commoniy referred t> as tinesharing, multiprodramming, 
multi-accessing, multi-processinyg, or concurrent processing. 
(Ref. 35] 


RISK. See section II. A.1. 


Peok ANALYSIS (ASSESSMENT). An analysis of svstem assets 
and vulnerabilities to estiblish an expected lcss from 
certain events bas2i on estinated probabilities of the 
occurrence of these 2vents. Pie! “pllsepese sof 2 =isk assess— 
merit is to deternirs if countarmeasures are adequate +0 
reduce the probability of loss or the impact of l95ss *o an 


acceptable level. 


SeewuRITY ACCESS CONS?PRAINTS. The process and fil¢ access 


mest ricticns imposed by the Secuee ty Eeguizsments. 
(Ref. 13] 
BPeCURITY FILE. Fils containing user ids and associated 


Biecess constraints. [ Ref. 13] 


SECURITY 1LOG. Data ewol lev sou a hing, Violatious «Of “tne 
1 


security requirements. [Ref. 


euRITY OFFICER. Designat2i individual who is responsible 
© — Maintaining che Secu mie procedures fe) 


mistaliiation. [{Ref. 13] 


SecuURLTY IMWSPECTION. An G€xamin2tion of an ADP system to 
determine compliance with ADP security policy, procedutes, 


mead practices. 
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SECURITY SS PECIWRICATIONS. A dstailed dsscription of the 
countermeasures required to protect an ADP activity or 
retwork from unauthorized (accidental Oly, Inve rewonae) 
MmesciOsSurse, modizication, and destruction of data, or denial 


@: service. 


SECURITY TEST AND EVALUATION (STSE). An examination and 
Me@emeysss Of the security features of an ADP activity ofr 
network aS they have been applizi in an operational environ- 
ment to determine the security posture of the activity or 


PecewoOrk UpOn which an accreditation can be bas 


SECURITY VIOLATION. Any attempt to gain access to the oper- 


ating system, the operating systen filets and executable 
modules, or systen user files and exacutable modules, 
[Ref. 13] 


SENSITIVE BUSINESS DATA. Pata @4nwech Crequlres: protSssczon 
feeer eta rie 18, USC 1905, and other data which by its nature 
meqierces conrolled distribution or access for reasons other 


Meee che “fact that it us cl3s 


. 


Sfiedpotr “personalvw aa-2. 


Semsi-ive Business Data is resognrized in the following 
categories 

Same Orficial Us2= Oniy--Reguiring canfidentiality of 
Meeormation derived from Inspector General, authority, or 


other investigative ictivity. 
peepee onancial--Regquiring protection to ensure the integrit: 


@eertundgs or other fFisstal assets. 


Cc. Sensitive Managzaent--Requiring protection +o defend 
Mees. the loss of prcperty, (le tena, (Of SUDDITeS Of co 
Merena against the disruption of operations or normal 


Management practices, etc. 

Gees eroprietary--Reqiliring protection to protect data o 

MeeCeMaction in conformance with a limited rights agreement 
O 


MRI CN os the Gexclosive prope-ty of a civilian coroorat:i 





or individual and which is on loan to the Government for 
PyemaatiOn or for 1ts proper us= in adjudicating contracts. 

e. Privileged--Reqyuircing protection for conformance with 
business standards or as reguired by law. (Example: 
Government-developed information involving the award sf a 


COnmcract.) 


SPLICE CONFIGURATION. An integrated set of six hardware/ 
software systems r2guired t¢>2 achieves tne? un etaonals 
performance and capacity requirements Gf relic So Sree 


eeeclricaticns. [Ref. 13] 


DEMS COMRIGCULratZOns 27 the 


ne 


SPLICE LOCATION. One or more 
Same geographical ar22a (on the same Local Computer Network) 
ccnnected to Governmant-furnish:21 equipment and interfaces. 
(Ref. 13] 


SPLICE NETWORK. Provides the connectivity betwean geograph- 
meaty GlLStant SPLICE locations. Government furnished data 
@Gemmunacations tines shall coanect the locations through 
common carrier lines and/or through a Government-furnished 
network. f[{ Ref. 13] 


THREAT. See section II.A. 2. 


OS ER. AQ aperson .or ange Ota =beCoovi ng —prOGuces ox 
services produced by a ADP system either by access iz9 the 


system or by otner means. 


USER ID. Data elamant input t> identify a system user and 
Moreleabei processing products resulting from the user- 


memetaced processing. (Ref. 13] 


WUGNERABILITY See section II.A.3. 


194 





SEO OUP § Bas 


DEFENSE DATA NETWORK 


mimes AD PSNG1x Provides a shart summary of <¢< 


h 
Data Network (DDN). The source document used is the Defense 
8 


A. GENERAL DESCRIPTION 


Mpees DDN will be an integrated packet-switching data 


ne«work designed to satisfy all DOD data networks regquire- 
7 


Memes Project: cns through the 1990's. The DDN will take 
advantage of existing networks, notably the WWMCCS 
Intercomputer Network (a IN) and the Advanced Research 


Projects Agency Network (ARPANET), and will be based 


Pemmarily On ARPANET technology. Table X lists the standara 


a 


TABLE X 
Standard DDN Tt omponents 


epee SSS ee ee ee ee eee a ee | 


Switching nois hardware 
Swe Chae nods SOneware 
ri Soe devices 
Heyy -TACS 

Lost eronmc-sni. devices 
Host interface devices 
eo LS cons 


| 
| 
| 
| 


, 
| 
[ 


cempeonents to be usei in the DDN. 
mere Will be i171 Switching nodes located at about 85 
w.dely distributed sites. Ene SSW eCoang Node is a 3elt 


Baranek and Newman (23) C7504 a Microprogrammed 





famncOompurer sSosting about $45,900 (including TEMPEST/HEMP 


Beotection) . The 72/30 is designed for unattended opera- 
e2ons. Pi SsWarchingmuedes will be @Qecated on anilitary 
facilities and secured to at least the SECRET level. The 


network will have a principl2 System Monitoring Center 
(SMC), an alternate SMC, regional Monitoring Centers (MCs) 
ipeesaurope and ths Pacific, and MCs for each separate 
community. 

The DDN provid2as for incrasased Survivability in several 
WayS. The 171 fixed switchiny nodes and 9 fixed MCs will 
have HEMP protection (EM shielding, line isolation, and 
Siege arresting protection). Sites with no backup power 
Will be provided aninterruptable power supplies (UPS). 
There will be five preapositionei mobile reconstruction nodes 
Eqemseped With MC capability. A dynamically adaptive routing 
peegtomo thm will automatically roite traffic around congested, 
damaged, or destroyed switches and trunks. Rod tc onalisy, se 
@emee <Lunking grid will provid= redundancy at all possible 
m@encsSs in the network. 

There will be at least 99% availability between any pair 
Il b2 duai- 


i al subscriber wil 
homed (3a single actress line to *wo switching nodes), 
ces 


Q) 


of singie-nhcemed users. ee 
beemweai ng at least 99.5% availability. Dual ac Ss tne sate 
a single node can also be used. 

Precedence levels can be assigned by originating hosts 
and terminals, and will be us2d in the allocation of network 
rescurces. Swlecen mg Nodes J~asov2~de for). four devels of 
precedence, with pr2emption of lower precedence communica- 
eieom=., Category I (FLASH and FLASH-~OVERRIDE) 


Wili be processed in non-blocking mode exclusive of a2ail 


communications 


other traffic modes and volumes. 
SOmmunlecacaons Srrors will bS minimized by fhe use of 
error detection ani correction mechanisms. a Cy Carered |. 


Requndancy Check (CRI) Oe, lomsees bo associa ted awith host 





messages On tae access lines and packets on trunks. A 32 
bit CRC is used with SIP-compatible hosts. Additionally, 16 
bit checksums are provided on an end-to-end basis within the 
Switch subnetwork and ona user-to-user basis via the 
ieteenission Gontrol Protocol (ICP). REEoOr “detect ron ana 
correction hardware is used in the switches for protecting 
against memory failures and for checksunming of critical 


Goeeaestructures and portions of code. 


Be. SPECIFIC DDN HARDWARE/SOFTWARE 


fae DeMec/30 PackSt SWicching “ploOceSssor is a muiti- 
boerd, Microprogramumed miniconputer, With 64k words of 
random access memory (RAM), which supports a full range of 
es. The C/30 sott- 


synchronous and asynthronsus I/) intearfac 
ge Processcr {IMS} 


ware is the ARPANET Interfarte HMessa 
Peeg=am Which can b> loaded Ilsc2liy (fron a cassettes) or 
downline loaied fron a MC. The software provides the 


moeeowing Eunctional capabiliti=s: 


feet Oor= and forward traffic processing. 

® Hoszt access ani e2nd-to-r-eni traffic processing (with a 
feet y Of host az>eSss protorzols, see p. 33 of Ref. 38). 

e Dynamic, adaptiv:, distributed routing which measures 
actual packet delays and rout2s indiviiual vackets 2leng 
the least delay path. 


MeprentcOr ng ard control services. 
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The Internet Private Line Interface (IPLI) is a 
security device, currently under development as part o 
maar bee DLOdLam, which will ba used for end-to-end encryp- 
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ft iLOR. MemitssGCOMPOS=) "Or threes Eunction2zi units: a KG 
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cryptographic device and two MC58000 based packet processors 
(one on eéach side of the K3 34). Figure C.1 shows the 
placement of the IPLI wit @each host for end-to-end encryp- 
meen On the DDN. The sortwar2 in each processor will be 
Besec On the CMOS operating syst2m, with the besic functions 


necessary for the DID standacd internet environment and 


MemieOring end controi functions. The protocol interfaces 
Semrorm to the DOD Standacd Internet Protocol (IP). Slee 


e 
Poe packet processing octurs 2% the lower level of the IP, 


the TCP and other protocols which exist 2bove the IP can be 
supported. 

Exclusive of the «G 84, the estimated unit cost for 
production IPLIs (after FY84) DAO swo ro 0 V00LOr (Nor sac 
mao, 000. 


Peneinieee TACs. > ee Sarmiaal secess dsvice that allows 2 


(VD 
| 
=| 


GyuUster of up to 16 synchrondus and asynchronous terminals 
access to the network. Te-isy tog2caliy equizvalen= 7) Eo = 
Meework host and will use tne sane host-host protocois. The 


Meee T—hbas ed Mini-TAL soitwar2 allows a t2eminal toc 


Or 
to hosts on tne network. The nini-TAC software multiplexes 
all the terminali-host connectiois over a singie link between 
memeand the Switching node. Since! Minter ACs Wolk, Snes 


fiagecttally provide dial-up acc2ss, access will bs over hard- 
wired lines and controlled by physical access control 
measures. 

Bae Mono =GAc Well De Sonstruccedc arcund a Motdrola 
MC68000 microprocessor with nemory, 16 synchronous o 
asyncnronous terminal ports, aad multipl2= network interface 
Reees (to ailow diali-hdming). The mini-TAC will meet 
TEMPEST and HEMP reguirements. Nene s 3° 
UC Pee wd) | Ui. 


W 
With other network hosts usinzy DOD standard 
Terminal level support is provijad via the Telnex protocol. 
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The mini-TAC will be designed for unattended overa- 
eons. Cole eer unectronsceana hardware and “softwere fault 
diagnosis can be doa remotely from a Monitoring Center. 


Repair will be by board swappinjy. In quantities of 100, the 
production cost per unit is estimated at $7500 plus $250 per 


BOL - @ 


Coo oCUORITY FEATURES 
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Peli nk ENCEYDEL On 


The KG 84 crypto evica will be used on ail back 


dG 
bone trunks, on all access linss to classified hosts, an 


n Pon 
Beeeso JineS tO Sit2s that act as MCs for the unclassi fied 
community. Because all hosts will use the IPLI described 
above, SO MMmicac: ons Ste eke “SEs: awa) ) be "super 
encrypted." The link encryption Walt VIGOR Cedi, tra itive 
patterns and monitoriag reports, Wee Ghee git. Vaetd earree 
analysis information. Pinwhco perc ers Pe=sSwlcuchy) con-ro! 
meariic, Vier ssMPOrtane since this traffic includes 


Gowniine loading of sensitive switch software. 


Se terace Ome D2 — SUDSCELD=rS Operating at -diffsren<: 
system high levels is provided by the use of IPLIsS (at least 
one IPLI key for each different system high level), crea 
at least one logical subnet for each security level. Sahn 
IP and subnet headers must b? in the clear for pa 
Dee@eessing Within the switch, all switches are TEU 
enciosed and in military faciliziss secured to at least t 
SEGrer level. EScapltssmanehit St ~ legical subnets wili guaz- 
antee against delivery of communications t~9 any subscriber 
outsid2 the subnet. This guaraates against misdelivery will 
be used to protect statistical reports fron being dalivered 


memany hOSts ozher than an MC. Each MC and the fake host in 
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SaeieswWwiltch that Comnunicates with the MC will be members of 
meer logical subnet. Additionally, only the SMC can retrieve 


PmmeraccumulLate <ratfisc Statistics. 


3. Separation Of Communitiss of Interest 


Communities of interest are subscriber groups which 
present an acceptable level or risk t2 each other and 
require a high levei of interoperability. S2pelbat. on oe 
communities of interest 1s acconplished through the creation 
Semel ogical subnets by cryptojraphic msans, by software 
Geecrol, Car Pern. Por SunclLassa fied) Subscribers, the 
Switches provide the ability to define logical subnets which 
restrict trarfic to flow only among the members ci that 
ieg@cal subnet. The number 9f subnets provided by the 
Switches is currently limited t» 16, but can be increased to 
Seeor, 64. 

Classified user comma 
IPLI subnets (like-kayed IPLIs). C 

tv 


Seperated communities of intserast 


Oe imavecgual As sess Conner 1 


MeGess MGOntrol eo. SubScsaber  .facalitz 
responsibility of the subscribers themse 


lv S 
Sasa c —Mat sec escs Of ON eS. SUDSCTZ Der “fo enother 2 
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eeme=eclled with respect to authorized secur: 
Semmur=ty Of intersst, but will not verify ¢t 
dual user (person or process} has valid a 


meee SUDSD[ Tiber. 


pee CO nel Claamances ani Keys 


All persoan3l with asc2ss to ewitches must be 
Secaned to the SECRET level idlue to the traffic analysis 
potential. This clearance lsval also applies to all 


Bessonnel at the Mos. Personnel manning an WC for a secure 





Pier er MUS= be cilearad to the lLavel of the subnet subscri- 


bers. Ceyouroececnnlicians ‘will be ZTequired for key: 
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ZPLIS for each community and for link K&$s. The keying 
material for each IPLI community is available orly at the 
ITPLI sites. The keying naterial for the link KGs is 2vail- 
able on a pairwise basis at th2 Switch sitas based on swit 
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